CVE-2024-9473: GlobalProtect App: Local Privilege Escalation (PE) Vulnerability (Severity: MEDIUM)
First published: Wed Oct 09 2024(Updated: )
A privilege escalation vulnerability in the Palo Alto Networks GlobalProtect app on Windows allows a locally authenticated non-administrative Windows user to escalate their privileges to NT AUTHORITY/SYSTEM through the use of the repair functionality offered by the .msi file used to install GlobalProtect.
Credit: psirt@paloaltonetworks.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Palo Alto Networks GlobalProtect Windows | >=5.1<6.2.5 | |
| Palo Alto Networks GlobalProtect Windows | =6.3.0 | |
| Palo Alto Networks GlobalProtect Windows | =6.3.1 | |
| All of | ||
| Palo Alto Networks GlobalProtect UWP App | =6.1.5<6.0.10-c823=6.0<6.1.4-c720=6.1<6.2.5=6.2<6.3.1-c383=6.3 | 6.0.10-c823 6.1.4-c720 6.2.5 6.3.1-c383 |
| Microsoft Windows | * |
Remedy
This issue is fixed in GlobalProtect app 6.2.5, and will be fixed in the remaining supported versions of GlobalProtect app listed in the Product Status section. Updates will be published to this advisory as they become available. Customers who want to upgrade should reach out to customer support at https://support.paloaltonetworks.com .
Remedy
Update the Windows registry on endpoints with an affected version of GlobalProtect to disable all MSI installations (not just GlobalProtect installations). This change is system-wide, so it will affect all users of the system including administrators. The following command will update the registry on an endpoint to disable the repair functionality of any MSI file. It will also prevent using MSI files to install, re-install, or uninstall software. This command must be run with administrative privileges. reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Installer" /v DisableMSI /t REG_DWORD /d 2 /f Be aware that this will fully prevent use of all MSI files, thereby blocking common IT operations such as software deployments typically done by endpoint management solutions that use MSI files to perform the installations. Use caution before updating this value in the registry. After setting DisableMSI to 2, this value will need to be either deleted or changed to another value in order to use any MSI files. For more information, please see https://learn.microsoft.com/en-us/windows/win32/msi/disablemsi.
Remedy
This issue is fixed in GlobalProtect app 6.0.10-c823, GlobalProtect app 6.1.4-c720, GlobalProtect app 6.2.5, GlobalProtect app 6.3.1-c383, and will be fixed in the remaining supported versions of GlobalProtect app listed in the Product Status section. Updates will be published to this advisory as they become available. Customers who want to upgrade should reach out to customer support at https://support.paloaltonetworks.com.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-9473?
CVE-2024-9473 is a critical privilege escalation vulnerability that can allow a non-administrative user to gain NT AUTHORITY/SYSTEM privileges.
How do I fix CVE-2024-9473?
To mitigate CVE-2024-9473, it is recommended to upgrade the Palo Alto Networks GlobalProtect app to the latest version that addresses this vulnerability.
Which versions of Palo Alto Networks GlobalProtect are affected by CVE-2024-9473?
CVE-2024-9473 affects Palo Alto Networks GlobalProtect versions from 5.1 to 6.2.5 and specifically includes versions 6.3.0 and 6.3.1.
Can CVE-2024-9473 be exploited remotely?
No, CVE-2024-9473 can only be exploited by a locally authenticated user on a Windows system.
What types of systems are vulnerable to CVE-2024-9473?
CVE-2024-9473 specifically affects the Palo Alto Networks GlobalProtect app installed on Windows operating systems.
- agent/weakness
- agent/type
- agent/description
- agent/author
- agent/references
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- collector/paloaltonetworks-latest
- source/Palo Alto Networks
- agent/title
- agent/severity
- agent/remedy
- agent/event
- agent/first-publish-date
- agent/trending
- agent/epss
- collector/epss-latest
- source/FIRST
- agent/source
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/tags
- agent/softwarecombine
- collector/paloaltonetworks-api
- vendor/paloaltonetworks
- canonical/palo alto networks globalprotect windows
- version/palo alto networks globalprotect windows/5.1
- version/palo alto networks globalprotect windows/6.3.0
- version/palo alto networks globalprotect windows/6.3.1
- vendor/palo alto networks
- canonical/palo alto networks globalprotect uwp app
- version/palo alto networks globalprotect uwp app/6.1.5
- version/palo alto networks globalprotect uwp app/6.0
- version/palo alto networks globalprotect uwp app/6.1
- version/palo alto networks globalprotect uwp app/6.2
- version/palo alto networks globalprotect uwp app/6.3
- vendor/microsoft
- canonical/microsoft windows