Cloud Vulnerability DB
An open project to list all known cloud vulnerabilities and Cloud Service Provider security issues
Vulnerability DatabaseCVE-2024-9473
CVE-2024-9473:
Palo Alto Networks GlobalProtect Agent vulnerability analysis and mitigation
Overview
A privilege escalation vulnerability (CVE-2024-9473) was discovered in the Palo Alto Networks GlobalProtect app on Windows. The vulnerability allows a locally authenticated non-administrative Windows user to escalate their privileges to NT AUTHORITY/SYSTEM through the use of the repair functionality offered by the .msi file used to install GlobalProtect. The vulnerability was discovered by Michael Baer of SEC Consult Vulnerability Lab and Marc Barrantes of KPMG Spain, and was publicly disclosed on October 9, 2024 (Palo Advisory, SEC Consult).
Technical details
The vulnerability exists in the MSI installer configuration of GlobalProtect. When using the repair function of msiexec.exe, the installer spawns a subprocess called PanVCrediChecker.exe with SYSTEM privileges, which interacts with the file libeay32.dll in the program files directory. The vulnerability has been assigned a CVSS v4.0 Base Score of 5.2 (MEDIUM) with the vector string CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:H/SI:H/SA:H/AU:N/R:U/V:C/RE:M/U:Amber. The weakness is classified as CWE-250 (Execution with Unnecessary Privileges) (Palo Advisory).
Impact
If exploited, this vulnerability allows a local, low-privileged attacker with GUI access to escalate their privileges to SYSTEM level, effectively gaining complete control over the affected system. The vulnerability affects multiple versions of GlobalProtect, including versions 5.1.x, 5.2.x, 6.0.x, 6.1.x, versions prior to 6.2.5, and 6.3.x (SEC Consult).
Mitigation and workarounds
The vulnerability has been fixed in GlobalProtect app version 6.2.5. For users unable to update immediately, a workaround involves updating the Windows registry to disable all MSI installations system-wide using the command: reg add "HKEYLOCALMACHINE\Software\Policies\Microsoft\Windows\Installer" /v DisableMSI /t REG_DWORD /d 2 /f. However, this workaround will affect all MSI operations across the system. Note that version 5.2.x is end-of-life and will not receive a patch (Palo Advisory).
Additional resources
Source: This report was generated using AI
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Get a personalized demo
Ready to see Wiz in action?
“Best User Experience I have ever seen, provides full visibility to cloud workloads.”
David EstlickCISO
“Wiz provides a single pane of glass to see what is going on in our cloud environments.”
Adam FletcherChief Security Officer
“We know that if Wiz identifies something as critical, it actually is.”
Greg PoniatowskiHead of Threat and Vulnerability Management