CVE-2024-8687 Overview
An information exposure vulnerability exists in Palo Alto Networks PAN-OS software that enables a GlobalProtect end user to learn both the configured GlobalProtect uninstall password and the configured disable or disconnect passcode. After the password or passcode is known, end users can uninstall, disable, or disconnect GlobalProtect even if the GlobalProtect app configuration would not normally permit them to do so.
Critical Impact
Local users can bypass administrative security controls by discovering the uninstall password and disable/disconnect passcode, potentially circumventing enterprise VPN policies and security monitoring.
Affected Products
- Palo Alto Networks PAN-OS (multiple versions including 11.0.0)
- Palo Alto Networks GlobalProtect (multiple versions including 6.2.0)
- Palo Alto Networks Prisma Access
Discovery Timeline
- September 11, 2024 - CVE-2024-8687 published to NVD
- October 3, 2024 - Last updated in NVD database
Technical Details for CVE-2024-8687
Vulnerability Analysis
This vulnerability falls under CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere). The flaw enables local authenticated users to extract sensitive configuration credentials that should be protected from end-user access. The vulnerability requires local access and low privileges to exploit, meaning an attacker must already have a presence on the system. However, once exploited, it grants high confidentiality impact as it exposes administrative secrets intended to maintain organizational control over endpoint VPN configurations.
The practical consequence is significant for enterprise environments: users who should not have the ability to disable or uninstall the GlobalProtect VPN client can now do so by extracting the protective passwords. This undermines the security architecture that organizations implement to ensure consistent VPN connectivity and endpoint protection compliance.
Root Cause
The root cause stems from improper handling and storage of sensitive configuration data within the GlobalProtect client application. The uninstall password and disable/disconnect passcode are accessible to local users with standard privileges, violating the principle of least privilege. The credentials should be stored in a manner that prevents enumeration or extraction by non-administrative users, but the current implementation allows end users to discover these sensitive values through the local system.
Attack Vector
The attack vector is local, requiring the attacker to have authenticated access to an endpoint running the vulnerable GlobalProtect client. The exploitation process involves:
- A local user with standard privileges accesses the GlobalProtect application or its associated configuration data
- The user extracts the configured uninstall password and/or disable/disconnect passcode
- Armed with these credentials, the user can now uninstall GlobalProtect, disable VPN connectivity, or disconnect from the corporate network
- This bypasses administrative controls designed to enforce always-on VPN policies
The vulnerability does not require user interaction beyond the attacker's own actions, and the attack complexity is low once local access is obtained.
Detection Methods for CVE-2024-8687
Indicators of Compromise
- Unexpected uninstallation of GlobalProtect client on managed endpoints
- GlobalProtect service being disabled on systems where always-on VPN policy is enforced
- Users disconnecting from VPN outside of normal business patterns
- Audit logs showing GlobalProtect configuration access or credential retrieval attempts
Detection Strategies
- Monitor endpoint detection and response (EDR) telemetry for GlobalProtect uninstallation events that were not authorized by IT administrators
- Implement file integrity monitoring on GlobalProtect configuration files and directories
- Configure alerts for GlobalProtect service state changes (stopped, disabled) on managed endpoints
- Review Windows Event Logs and system logs for suspicious access patterns to GlobalProtect-related files
Monitoring Recommendations
- Deploy centralized logging for GlobalProtect connection states across all managed endpoints
- Establish baseline VPN connectivity patterns and alert on anomalous disconnection behavior
- Monitor for process termination events targeting GlobalProtect services
- Integrate GlobalProtect telemetry with SIEM solutions to correlate potential exploitation attempts with other suspicious endpoint activity
How to Mitigate CVE-2024-8687
Immediate Actions Required
- Review the Palo Alto Networks CVE-2024-8687 Advisory for specific patch versions and upgrade paths
- Inventory all PAN-OS, GlobalProtect, and Prisma Access deployments to identify vulnerable systems
- Prioritize patching endpoints with highly sensitive data or in environments where VPN policy enforcement is critical
- Consider implementing additional endpoint monitoring until patches can be applied
Patch Information
Palo Alto Networks has addressed this vulnerability in updated versions of PAN-OS and GlobalProtect. Organizations should consult the official Palo Alto Networks security advisory for specific fixed versions applicable to their deployment. Upgrade PAN-OS to a patched version and deploy updated GlobalProtect clients to all managed endpoints. Prisma Access customers should verify their service is running on a remediated version.
Workarounds
- Implement additional endpoint protection controls to monitor and prevent unauthorized uninstallation of security software
- Use application whitelisting to restrict execution of tools that could be used to extract credentials
- Apply principle of least privilege rigorously on managed endpoints to limit local user capabilities
- Consider deploying network access control (NAC) solutions to detect endpoints that disconnect from required VPN tunnels
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
