A remote code-execution (RCE) vulnerability has been uncovered in the GlobalProtect portal and GlobalProtect Gateway interface security products from Palo Alto Networks. It’s an unusual zero-day case, having been previously unknown but inadvertently fixed in later releases — but some large companies could still be impacted, including Uber.
The gateways provide virtual private network (VPN) access to an internal network, via IPSec or SSL tunnels between the client and a tunnel interface on the gateway firewall. Users can also configure GlobalProtect gateways on VM-Series firewalls deployed in the Amazon Web Services (AWS) cloud.
The flaw (CVE-2019-1579) is a format string vulnerability in the company’s SSL Gateway, which handles client/server SSL handshakes. The bug is considered critical, because it allows an unauthenticated attacker to execute arbitrary code – so users should update right away to a patched version.