Critical RCE Flaw in Palo Alto Gateways Hits Uber (Jul 22, 2019)
Researchers identified an interesting Remote Code Execution (RCE) vulnerability located in Palo Alto Networks’ GlobalProtect portal and GlobalProtect Gateway security software products. The critical-rated vulnerability, registered as “CVE-2019-1579,” could be exploited by a threat actor by sending a custom-created request to a vulnerable system to allow the remote execution of arbitrary code. Interestingly, while CVE-2019-1579 was still unknown it was unintentionally fixed in later versions of GlobalProtect. The vulnerability affects the following PAN versions: PAN-OS 7.1.18 and earlier, PAN-OS 8.0.11 and earlier, and PAN-OS 8.1.2.
Recommendation: Palo Alto Networks recommends that users who are not able to update their GlobalProtect products at least update to the content release 8173. Once a vulnerability has been reported on in open sources, threat actors will likely attempt to incorporate the exploitation of the vulnerability into their malicious operations. Patches should be reviewed and applied as soon as possible to prevent potential malicious activity.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.