CVE-2022-0018 : Security Advisory and Response

A detailed overview of the information exposure vulnerability found in Palo Alto Networks GlobalProtect App on Windows and MacOS when connecting to the GlobalProtect portal with Single Sign-On enabled.

Understanding CVE-2022-0018

This CVE identifies an information exposure vulnerability in the GlobalProtect App by Palo Alto Networks.

What is CVE-2022-0018?

An information exposure vulnerability in the GlobalProtect app sends local user account credentials to the GlobalProtect portal when Single Sign-On is enabled, posing a risk for BYOD clients or organizations using different credentials.

The Impact of CVE-2022-0018

The vulnerability affects GlobalProtect app versions 5.1 and 5.2 on Windows and MacOS, exposing local user credentials when SSO configurations differ.

Technical Details of CVE-2022-0018

Understanding the vulnerability, affected systems, and exploitation mechanism.

Vulnerability Description

Credentials are inadvertently sent to the GlobalProtect portal when SSO configurations don't match, impacting devices with private user accounts.

Affected Systems and Versions

GlobalProtect app versions 5.1 (earlier than 5.1.10) and 5.2 (earlier than 5.2.9) on Windows and MacOS are vulnerable.

Exploitation Mechanism

A third party with MITM capabilities can intercept credentials in transit, potentially compromising sensitive information.

Mitigation and Prevention

Exploring immediate steps and long-term security practices.

Immediate Steps to Take

Ensure GlobalProtect app version is 5.1.10 or 5.2.9 with the 'force-disable-sso' setting to prevent unauthorized credential transmission.

Long-Term Security Practices

Regularly update and patch GlobalProtect app to mitigate vulnerabilities and enhance security measures.

Patching and Updates

Fixed versions of GlobalProtect app include 5.1.10 and 5.2.9 onwards with enhanced security features to prevent data exposure.