Plattform
paloalto
Komponente
globalprotect-agent
Behoben in
4.1.11
4.1.11
CVE-2019-1573 is an information disclosure vulnerability affecting Palo Alto Networks GlobalProtect Agent versions 4.1 through 4.1*. An attacker with local access and a compromised user account can inspect memory to retrieve authentication and session tokens. This allows them to potentially replay these tokens and gain unauthorized access to the VPN session as the user.
The primary impact of CVE-2019-1573 is unauthorized access to resources protected by the GlobalProtect VPN. An attacker who has already compromised an end-user account and can inspect memory can leverage this vulnerability to steal authentication tokens. These tokens can then be replayed to establish a VPN session, effectively impersonating the legitimate user. This grants the attacker access to internal network resources, applications, and data that the user would normally have access to. The potential blast radius depends on the user's privileges and access rights within the organization. While the CVSS score is low, the potential for privilege escalation and lateral movement should not be underestimated, especially in environments with weak access controls.
CVE-2019-1573 was publicly disclosed on April 9, 2019. There is no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept (PoC) code has been released. The vulnerability is not currently listed on the CISA KEV catalog. The LOW CVSS score suggests a relatively low probability of exploitation, but organizations should still prioritize patching to reduce their overall risk.
Organizations utilizing Palo Alto Networks GlobalProtect Agent for remote access, particularly those with legacy systems or configurations lacking robust access controls, are at risk. Users with elevated privileges or access to sensitive data are especially vulnerable.
• windows / supply-chain:
Get-Process -Name GlobalProtectAgent | Select-Object -ExpandProperty Path• windows / supply-chain:
Get-WinEvent -LogName Application -Filter "EventID = 1000 -ProviderName GlobalProtectAgent" | Select-String -Pattern "authentication token"• windows / supply-chain: Check Autoruns for unusual entries related to GlobalProtect Agent or its components.
disclosure
Exploit-Status
EPSS
0.23% (46% Perzentil)
CVSS-Vektor
The primary mitigation for CVE-2019-1573 is to upgrade the GlobalProtect Agent to version 4.1* or later. If immediate upgrade is not possible, consider implementing stricter access controls and monitoring for suspicious VPN activity. Review user account permissions and limit access to sensitive resources. Implement multi-factor authentication (MFA) to add an extra layer of security, even if an attacker obtains valid credentials. There are no specific WAF or proxy rules that directly address this vulnerability, as it relies on local access and memory inspection. However, enhanced endpoint detection and response (EDR) solutions can help detect and prevent malicious activity on compromised endpoints.
Aktualisieren Sie GlobalProtect Agent auf Version 4.1.11 oder höher. Dieses Update behebt die Schwachstelle, die es einem lokalen, authentifizierten Angreifer ermöglicht, auf Authentifizierungs- und/oder Sitzungstoken zuzugreifen.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2019-1573 is a vulnerability in GlobalProtect Agent allowing local attackers to access authentication tokens, potentially enabling VPN session spoofing.
You are affected if you are using GlobalProtect Agent versions 4.1–4.1*. Check your version and upgrade accordingly.
Upgrade to GlobalProtect Agent version 4.1* or later to resolve this information disclosure vulnerability.
While no widespread exploitation has been publicly reported, diligent patching is recommended to prevent potential attacks.
Refer to the Palo Alto Networks Security Advisories page for details: https://www.paloaltonetworks.com/support/security-advisories
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.