Critical RCE Flaw in Palo Alto Gateways Hits Uber

The bug is previously unknown but yet still fixed in later releases. However, many organizations are likely still vulnerable.

A remote code-execution (RCE) vulnerability has been uncovered in the GlobalProtect portal and GlobalProtect Gateway interface security products from Palo Alto Networks. It’s an unusual zero-day case, having been previously unknown but inadvertently fixed in later releases — but some large companies could still be impacted, including Uber.

The gateways provide virtual private network (VPN) access to an internal network, via IPSec or SSL tunnels between the client and a tunnel interface on the gateway firewall. Users can also configure GlobalProtect gateways on VM-Series firewalls deployed in the Amazon Web Services (AWS) cloud.

The flaw (CVE-2019-1579) is a format string vulnerability in the company’s SSL Gateway, which handles client/server SSL handshakes. The bug is considered critical, because it allows an unauthenticated attacker to execute arbitrary code – so users should update right away to a patched version.

“More specifically, the vulnerability exists because the gateway passes the value of a particular parameter to snprintf in an unsanitized, and exploitable, fashion,” explained Tenable researchers, in a writeup on the bug. “An unauthenticated attacker could exploit the vulnerability by sending a specially crafted request to a vulnerable SSL VPN target in order to remotely execute code on the system.”

First publicized by researchers Orange Tsai and Meh Chang last week, the bug was a previously unknown vulnerability, but later versions of Palo Alto’s products happen to be inoculated against it, meaning that up-to-date systems are not in danger.

“There is no public RCE exploit…no official advisory contains anything similar and no CVE. So we believe this must be a silent-fix 1-day!” the researchers wrote in a blog post.

However, in looking at whether organizations are still at risk, Tsai and Chang discovered that Uber was running a vulnerable version, which prompted Palo Alto to issue a CVE and bug alert.

“Uber owns about 22 servers running the GlobalProtect around the world,” they said. They added that they were able to tell that the ride-share service was using an older version. “From the domain name, we guess Uber uses the BYOL from AWS Marketplace. From the login page, it seems Uber uses the 8.x version, and we can target the possible target version from the supported version list on the Marketplace overview page.”

For its part, Uber said in a note to Tsai and Chang that they gateway was not its primary VPN and not a part of the organization’s core infrastructure, which mitigated some of the potential impact of this vulnerability:

The issue affects PAN-OS 7.1.18 and earlier, PAN-OS 8.0.11 and earlier, and PAN-OS 8.1.2 and earlier releases. PAN-OS 9.0 is not affected. To patch the problem, users should update to PAN-OS 7.1.19 and later, PAN-OS 8.0.12 and later, or PAN-OS 8.1.3 and later releases.

For those who can’t update yet, Palo Alto recommended that users update to content release 8173 or later, and that they make sure that threat prevention is enabled and enforced on traffic that passes through the GlobalProtect portal and GlobalProtect Gateway interface.

Because the flaw was previously unknown, “we expect to see more incoming scans to identify organizations running vulnerable instances of the PAN SSL VPN in their environments,” Tenable researchers said.