CVE-2024-9473 Overview
A privilege escalation vulnerability in the Palo Alto Networks GlobalProtect app on Windows allows a locally authenticated non-administrative Windows user to escalate their privileges to NT AUTHORITY/SYSTEM through the use of the repair functionality offered by the .msi file used to install GlobalProtect.
Critical Impact
This vulnerability can lead to unauthorized access at the highest privilege level on Windows systems, potentially allowing attackers to execute arbitrary code and install malware.
Affected Products
- Palo Alto Networks GlobalProtect (all versions)
- GlobalProtect 6.3.0
- GlobalProtect 6.3.1
Discovery Timeline
- Not Available - Vulnerability discovered by Not Available
- Not Available - Responsible disclosure to Palo Alto Networks
- Not Available - CVE CVE-2024-9473 assigned
- Not Available - Palo Alto Networks releases security patch
- 2024-10-09 - CVE CVE-2024-9473 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-9473
Vulnerability Analysis
The vulnerability resides in the repair function of the .msi installer for GlobalProtect. By leveraging the repair process, a local user without administrative privileges can execute commands with SYSTEM level privileges. This is due to improper access control and validation checks within the installation package.
Root Cause
The root cause of the vulnerability is an improper access control mechanism within the repair functionality of the GlobalProtect .msi installer. This oversight enables privilege escalation when reapplying the repair option.
Attack Vector
The attack vector is local. A local user with valid authentication credentials can initiate the exploit by triggering the repair process of the installed GlobalProtect application.
# Example exploitation code
Start-Process msiexec.exe -ArgumentList '/fa "C:\Path\to\GlobalProtect.msi" /qn' -Verb runAs
Detection Methods for CVE-2024-9473
Indicators of Compromise
- Unexpected modification or repair actions on the GlobalProtect .msi
- Unscheduled privilege elevation events
- System changes initiated by non-administrative accounts
Detection Strategies
Utilize security monitoring tools to detect unusual MSI execution or repair operations. Monitor event logs for elevation attempts and correlate with user activity logs to determine unauthorized privilege escalations.
Monitoring Recommendations
Enable logging for MSI installer operations and privilege changes. Set alerts for operations involving GlobalProtect-related files and privilege adjustments on Windows endpoints.
How to Mitigate CVE-2024-9473
Immediate Actions Required
- Audit and review user accounts to ensure principle of least privilege.
- Disable the repair functionality for non-administrative users.
- Monitor for MSI installer executions closely.
Patch Information
Palo Alto Networks is expected to release a patch addressing this privilege escalation vulnerability. Always refer to the Vendor Advisory for the most up-to-date patch information.
Workarounds
Implement Group Policy to restrict access to MSI installer options for non-administrative users as an interim measure while awaiting official patches.
# Configuration example to disable MSI repair functionality
New-ItemProperty -Path "HKLM:\Software\Policies\Microsoft\Windows\Installer" -Name "DisableMSI" -Value 1 -PropertyType "DWord"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
