Vulnerabilities > CVE-2020-1988 - Unquoted Search Path or Element vulnerability in Paloaltonetworks Globalprotect

CVSS 7.2 - HIGH

Attack vector

LOCAL

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

COMPLETE

Integrity impact

COMPLETE

Availability impact

COMPLETE

local

low complexity

paloaltonetworks

CWE-428

nessus

NVD

Published: 2020-04-08

Updated: 2020-04-09

Summary

An unquoted search path vulnerability in the Windows release of Global Protect Agent allows an authenticated local user with file creation privileges on the root of the OS disk (C:\) or to Program Files directory to gain system privileges. This issue affects Palo Alto Networks GlobalProtect Agent 5.0 versions before 5.0.5; 4.1 versions before 4.1.13 on Windows;

Vulnerable Configurations

Part	Description	Count
Application	Paloaltonetworks Paloaltonetworks Globalprotect 4.1.0 Paloaltonetworks Globalprotect 4.1.12 Paloaltonetworks Globalprotect 5.0.0 Paloaltonetworks Globalprotect 5.0.3	4

Common Weakness Enumeration (CWE)

CWE-428 - Unquoted Search Path or Element

Common Attack Pattern Enumeration and Classification (CAPEC)

Leveraging/Manipulating Configuration File Search Paths
This attack loads a malicious resource into a program's standard path used to bootstrap and/or provide contextual information for a program like a path variable or classpath. J2EE applications and other component based applications that are built from multiple binaries can have very long list of dependencies to execute. If one of these libraries and/or references is controllable by the attacker then application controls can be circumvented by the attacker. A standard UNIX path looks similar to this If the attacker modifies the path variable to point to a locale that includes malicious resources then the user unwittingly can execute commands on the attackers' behalf: This is a form of usurping control of the program and the attack can be done on the classpath, database resources, or any other resources built from compound parts. At runtime detection and blocking of this attack is nearly impossible, because the configuration allows execution.

Nessus

NASL family	Windows
NASL id	PALO_ALTO_GLOBALPROTECT_AGENT_CVE-2020-1988.NASL
description	The version of Palo Alto GlobalProtect Agent installed on the remote Windows host is 4.1.x prior to 4.1.3, or 5.0.x prior to 5.0.5. It is, therefore, affected by a privilege escalation vulnerability due to a problem with the file creation permission on the OS disk. An authenticated, local attacker can exploit this to gain system privileges. Note that Nessus has not tested for this issue but has instead relied only on the application
last seen	2020-04-30
modified	2020-04-22
plugin id	135898
published	2020-04-22
reporter	This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/135898
title	Palo Alto GlobalProtect Agent 4.1.x < 4.1.13 / 5.0.x < 5.0.5 Privilege Escalation
code	# # (C) Tenable Network Security, Inc. # include('compat.inc'); if (description) { script_id(135898); script_version("1.2"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/04/23"); script_cve_id("CVE-2020-1988"); script_xref(name:"IAVA", value:"2020-A-0137"); script_name(english:"Palo Alto GlobalProtect Agent 4.1.x < 4.1.13 / 5.0.x < 5.0.5 Privilege Escalation"); script_set_attribute(attribute:"synopsis", value: "A VPN client installed on remote Windows host is affected by a privilege escalation vulnerability."); script_set_attribute(attribute:"description", value: "The version of Palo Alto GlobalProtect Agent installed on the remote Windows host is 4.1.x prior to 4.1.3, or 5.0.x prior to 5.0.5. It is, therefore, affected by a privilege escalation vulnerability due to a problem with the file creation permission on the OS disk. An authenticated, local attacker can exploit this to gain system privileges. Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number."); script_set_attribute(attribute:"see_also", value:"https://security.paloaltonetworks.com/CVE-2020-1988"); script_set_attribute(attribute:"solution", value: "Upgrade to Palo Alto GlobalProtect Agent 4.1.3, 5.0.5, or later"); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-1988"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"vuln_publication_date", value:"2020/04/08"); script_set_attribute(attribute:"patch_publication_date", value:"2020/04/08"); script_set_attribute(attribute:"plugin_publication_date", value:"2020/04/22"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:paloaltonetworks:globalprotect"); script_set_attribute(attribute:"stig_severity", value:"I"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("palo_alto_globalprotect_agent_win_installed.nbin"); script_require_keys("installed_sw/Palo Alto GlobalProtect Agent", "SMB/Registry/Enumerated"); exit(0); } include('vcf.inc'); get_kb_item_or_exit('SMB/Registry/Enumerated'); app_info = vcf::get_app_info(app:'Palo Alto GlobalProtect Agent', win_local:TRUE); vcf::check_granularity(app_info:app_info, sig_segments:3); constraints = [ {'min_version' : '4.1', 'fixed_version' : '4.1.13'}, {'min_version' : '5.0', 'fixed_version' : '5.0.5'} ]; vcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);

References

https://security.paloaltonetworks.com/CVE-2020-1988