Critical RCE Flaw in Palo Alto Gateways Hits Uber

The bug is previously unknown but yet still fixed in later releases. However, many organizations are likely still vulnerable.

A remote code-execution (RCE) vulnerability has been uncovered in the GlobalProtect portal and GlobalProtect Gateway interface security products from Palo Alto Networks. It’s an unusual zero-day case, having been previously unknown but inadvertently fixed in later releases — but some large companies could still be impacted, including Uber.

The gateways provide virtual private network (VPN) access to an internal network, via IPSec or SSL tunnels between the client and a tunnel interface on the gateway firewall. Users can also configure GlobalProtect gateways on VM-Series firewalls deployed in the Amazon Web Services (AWS) cloud.

The flaw (CVE-2019-1579) is a format string vulnerability in the company’s SSL Gateway, which handles client/server SSL handshakes. The bug is considered critical, because it allows an unauthenticated attacker to execute arbitrary code – so users should update right away to a patched version.

“More specifically, the vulnerability exists because the gateway passes the value of a particular parameter to snprintf in an unsanitized, and exploitable, fashion,” explained Tenable researchers, in a writeup on the bug. “An unauthenticated attacker could exploit the vulnerability by sending a specially crafted request to a vulnerable SSL VPN target in order to remotely execute code on the system.”

First publicized by researchers Orange Tsai and Meh Chang last week, the bug was a previously unknown vulnerability, but later versions of Palo Alto’s products happen to be inoculated against it, meaning that up-to-date systems are not in danger.

“There is no public RCE exploit…no official advisory contains anything similar and no CVE. So we believe this must be a silent-fix 1-day!” the researchers wrote in a blog post.

However, in looking at whether organizations are still at risk, Tsai and Chang discovered that Uber was running a vulnerable version, which prompted Palo Alto to issue a CVE and bug alert.

“Uber owns about 22 servers running the GlobalProtect around the world,” they said. They added that they were able to tell that the ride-share service was using an older version. “From the domain name, we guess Uber uses the BYOL from AWS Marketplace. From the login page, it seems Uber uses the 8.x version, and we can target the possible target version from the supported version list on the Marketplace overview page.”

For its part, Uber said in a note to Tsai and Chang that they gateway was not its primary VPN and not a part of the organization’s core infrastructure, which mitigated some of the potential impact of this vulnerability:

Source: Tsai and Chang.

The issue affects PAN-OS 7.1.18 and earlier, PAN-OS 8.0.11 and earlier, and PAN-OS 8.1.2 and earlier releases. PAN-OS 9.0 is not affected. To patch the problem, users should update to PAN-OS 7.1.19 and later, PAN-OS 8.0.12 and later, or PAN-OS 8.1.3 and later releases.

For those who can’t update yet, Palo Alto recommended that users update to content release 8173 or later, and that they make sure that threat prevention is enabled and enforced on traffic that passes through the GlobalProtect portal and GlobalProtect Gateway interface.

Because the flaw was previously unknown, “we expect to see more incoming scans to identify organizations running vulnerable instances of the PAN SSL VPN in their environments,” Tenable researchers said.

Interested in more on patch management? Don’t miss our free live Threatpost webinar, “Streamlining Patch Management,” on Wed., July 24, at 2:00 p.m. EDT. Please join Threatpost editor Tom Spring and a panel of patch experts as they discuss the latest trends in Patch Management, how to find the right solution for your business and what the biggest challenges are when it comes to deploying a program. Register and Learn More


Suggested articles


  • Michael M on

    “via IPSec or SSL tunnels” IPsec is not in any way the same as an SSL VPN. From reading the Tenable writeup, I don’t see any IPsec involvement. Are you sure about this statement?
    • Tara Seals on

      Hi Michael! The description is from the gateway description on the Palo Alto website -- In that paragraph, I'm describing what the gateways are and what they do rather than anything having to do with the bug. Link is in the article. Thanks!

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.