CVE-2024-5910: Palo Alto GlobalProtect Auth Bypass Exploited - Patch Now

Palo Alto Networks has issued an urgent advisory regarding the active exploitation of a vulnerability within its GlobalProtect gateway. This CVE, identified as CVE-2024-5910, allows unauthenticated attackers to bypass security measures. According to BleepingComputer, this flaw is now being leveraged in the wild, posing a significant risk to corporate network integrity.

The vulnerability stems from a missing authentication check in the PAN-OS GlobalProtect gateway. With a CVSS score of 9.3, it is classified as critical because it enables an attacker to gain administrative control over the GlobalProtect interface without requiring valid credentials. This vulnerability is particularly dangerous as the gateway is often exposed to the public internet to facilitate remote access for employees.

Technical Analysis of GlobalProtect Auth Bypass

The core of the issue resides in how the GlobalProtect gateway processes specific requests on the management plane or the gateway interface. Attackers exploit this by sending crafted packets to the gateway port. If successful, this leads to an authentication bypass, allowing the threat actor to modify configurations or potentially facilitate Lateral Movement within the internal network infrastructure.

While this vulnerability is not a direct RCE by itself, the administrative access gained is a precursor to more severe compromises. Once an attacker has control over the VPN gateway, they can intercept traffic, create new administrative accounts, or disable security features designed to protect the perimeter. This level of access is highly sought after by APT groups looking to establish a persistent foothold in target environments for espionage or data theft.

How to detect CVE-2024-5910 exploit attempts

Security teams should monitor their SIEM for unusual activity originating from GlobalProtect interfaces. Specifically, look for unexpected configuration changes or administrative logins from unfamiliar or external IP addresses. Since this is effectively a Zero-Day exploitation scenario for organizations that have not yet applied the vendor’s updates, SOC analysts should prioritize logs showing failed authentication followed by successful administrative commands on the gateway device. High-frequency requests to management endpoints are also a strong IoC of scanning or exploitation attempts.

Affected Systems and Scope

The vulnerability affects several versions of PAN-OS where GlobalProtect is configured. Organizations utilizing gateways on the following versions are at risk:

• PAN-OS 10.2 versions earlier than 10.2.10
• PAN-OS 11.0 versions earlier than 11.0.5
• PAN-OS 11.1 versions earlier than 11.1.3

Cloud Services and Panorama management appliances are generally not affected by this specific flaw unless they are specifically running the vulnerable GlobalProtect gateway configurations. However, the widespread use of these affected versions across enterprise environments makes the potential impact substantial.

CVE-2024-5910 Patch Guidance and Mitigation

The most effective response is the immediate application of security updates provided by Palo Alto Networks. For organizations unable to patch immediately, certain configuration changes can reduce the attack surface and mitigate the immediate risk of exploitation.

Immediate Remediation Steps

Defenders should prioritize the following actions to protect their infrastructure:

1. Apply Updates: Transition to PAN-OS 10.2.10-h1, 11.0.5-h1, or 11.1.3-h1 immediately. These versions contain the fix for the missing authentication logic.
2. Restrict Management Access: Ensure that management interfaces are not exposed to the public internet. Use a Zero Trust approach to limit access to known, authorized administrative IP addresses.
3. Enable Multi-Factor Authentication (MFA): While this vulnerability bypasses initial authentication, having MFA enforced on all administrative functions and secondary internal layers can hinder the progress of an attacker following the initial breach.

Defenders should also review their logs for any TTP patterns associated with VPN exploitation, such as the creation of unauthorized local user accounts or changes to security policy rules. Early detection is critical to preventing a compromise from escalating into a full-scale Ransomware attack or significant data exfiltration event.