HD MooreApr 17, 2024

The watchTowr folks published an in-depth article today covering the Palo Alto Networks unauthenticated RCE at: https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/

Even more impressive is they also disclosed a zero-day directory traversal vulnerability in the #golang gorilla/sessions package (used far and wide). The gorilla vulnerability only applies to code using the FilesystemStore, but it is still likely to impact a huge range of products and services. A pull request to fix this is open at https://github.com/gorilla/sessions/pull/274

Huge thanks to @alizthehax0r and the watchTowr team as well as @moloch of Bishop Fox for co-discovery (and providing a fix for) of the gorilla/sessions bug.

Palo Alto - Putting The Protecc In GlobalProtect (CVE-2024-3400)

Welcome to April 2024, again. We’re back, again. Over the weekend, we were all greeted by now-familiar news—a nation-state was exploiting a “sophisticated” vulnerability for full compromise in yet another enterprise-grade SSLVPN device. We’ve seen all the commentary around the certification process of these devices for certain

watchTowr Labs - Blog
Show threadDave Pimlott

@hdm @alizthehax0r the security bulletin at palo alto has been edited since initial release to remove the "telemetry required to be enabled to be exploitable" bit. It's been discovered you just need Global Protect...

And yes, that's me running around like my hair's on fire!

Apr 17, 2024 at 10:11amWeb
Show threadAlizApr 17, 2024
@quikkie @hdm I strongly suspected that the 'telemetry' requirement could be sidestepped, but I just couldn't figure out another exploitation path.
Show threadDave PimlottApr 17, 2024
@alizthehax0r the watchtower post was amazing work. It showed me how far down my pants had been pulled by sloppy coding (accepting user input without sanitising!!)
Show threadAlizApr 18, 2024
@quikkie Thanks! Honestly we were racing to get it out first so I was worried it wasn't very clear and polished. Thanks for the feedback, it's very appreciated!