Vulnerabilities in Palo Alto Networks and SonicWall VPN Clients Allow Remote Code Execution
2024-12-04
Need some ammo against Palo Alto Networks and SonicWall? This article is for you!
The article discusses vulnerabilities in Palo Alto Networks and SonicWall VPN clients, which can be exploited to execute remote code on Windows and macOS systems. These flaws allow attackers to manipulate VPN client behavior and execute commands by exploiting the trust placed in servers. The vulnerabilities include insufficient certificate validation and improper handling of client updates, potentially leading to privileged code execution. Palo Alto Networks and SonicWall have released patches to address these issues, emphasizing the importance of updating to the latest versions to prevent possible exploitation.
Privilege Escalation, Patch Management, Other: VPN Client Vulnerability
Palo Alto Networks, SonicWall, VPN Vulnerability, Remote Code Execution, NachoVPN
Palo Alto Networks GlobalProtect, SonicWall SMA100 NetExtender
Cybersecurity experts have identified vulnerabilities in Palo Alto Networks and SonicWall VPN clients that could be exploited for remote code execution on Windows and macOS systems. These vulnerabilities target the implicit trust VPN clients have in servers, allowing attackers to manipulate client behavior with minimal effort. An attacker could set up a rogue VPN server that tricks the clients into downloading malicious updates. This can lead to unintended consequences, such as executing arbitrary commands and gaining high-level access. Researchers have developed a proof-of-concept tool called NachoVPN to simulate these rogue servers and exploit the vulnerabilities. CVE-2024-5921: This vulnerability affects Palo Alto Networks GlobalProtect for Windows, macOS, and Linux. It involves insufficient certificate validation, allowing connections to arbitrary servers and potential deployment of malicious software. The issue is addressed in version 6.2.6 for Windows. CVE-2024-29014: This affects the SonicWall SMA100 NetExtender Windows client. The flaw allows arbitrary code execution during an End Point Control (EPC) Client update. It impacts versions 10.2.339 and earlier, with a fix provided in version 10.2.341. For Palo Alto Networks GlobalProtect, an attacker needs local user access or to be on the same subnet to install malicious root certificates. This could enable the app to steal VPN credentials, execute code with elevated privileges, and facilitate further attacks. Similarly, for SonicWall NetExtender, an attacker can trick users into connecting to a malicious VPN server and deliver a counterfeit EPC update signed with a stolen certificate to execute code with SYSTEM privileges. Attackers can exploit a custom URI handler to make the NetExtender client connect to their server. Users only need to visit a malicious website, accept a browser prompt, or open a malicious document for the attack to succeed. Although there is no evidence of these vulnerabilities being exploited in the wild, users of Palo Alto Networks GlobalProtect and SonicWall NetExtender are advised to apply the latest patches to protect against potential threats.Exploited Flaws in Popular VPN Clients
Attack Scenario
Identified Vulnerabilities
Attack Details
Exploitation Techniques
Recommendations
https://thehackernews.com/2024/12/nachovpn-tool-exploits-flaws-in-popular.html?m=1