HD MooreApr 17, 2024

The watchTowr folks published an in-depth article today covering the Palo Alto Networks unauthenticated RCE at: https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/

Even more impressive is they also disclosed a zero-day directory traversal vulnerability in the #golang gorilla/sessions package (used far and wide). The gorilla vulnerability only applies to code using the FilesystemStore, but it is still likely to impact a huge range of products and services. A pull request to fix this is open at https://github.com/gorilla/sessions/pull/274

Huge thanks to @alizthehax0r and the watchTowr team as well as @moloch of Bishop Fox for co-discovery (and providing a fix for) of the gorilla/sessions bug.

Palo Alto - Putting The Protecc In GlobalProtect (CVE-2024-3400)

Welcome to April 2024, again. We’re back, again. Over the weekend, we were all greeted by now-familiar news—a nation-state was exploiting a “sophisticated” vulnerability for full compromise in yet another enterprise-grade SSLVPN device. We’ve seen all the commentary around the certification process of these devices for certain

watchTowr Labs - Blog
Show threadFilippo ValsordaApr 17, 2024

@hdm @alizthehax0r @moloch Thank you for tracing this to the open source project and filing the vulndb entry.

Could you share the vulnerable binary, or run “go version -m” on it? I want to confirm govulncheck would have flagged it if the CVE was already known.

Show threadAlizApr 17, 2024
@filippo @hdm @moloch I can't share the binary, I'm afraid, I think I'd get in trouble. I copied the binary in question off the device and ran my Ubuntu box's 'go version -m' -- I have approximately zero golang experience so my apologies if this isn't what you need:
p2/usr/local/bin/gpsvc: go1.13.15
path gpsvc
mod gpsvc (devel)
dep github.com/go-redis/redis v6.15.2+incompatible h1:9SpNVG76gr6InJGxoZ6IuuxaCOQwDAhzyXg+Bs+0Sb4=
dep github.com/google/flatbuffers v1.11.0 h1:O7CEyB8Cb3/DmtxODGtLHcEvpr81Jm5qLg/hsHnxA2A=
dep github.com/google/uuid v1.1.1 h1:Gkbcsh/GbpXz7lPftLA3P6TYMwjCLYm83jiFQZF/3gY=
dep github.com/gorilla/mux v1.7.4 h1:VuZ8uybHlWmqV03+zRzdwKL4tUnIp1MAQtp1mIFE1bc=
dep github.com/gorilla/securecookie v1.1.1 h1:miw7JPhV+b/lAHSXz4qd/nN9jRiAFV5FwjeKyCS8BvQ=
dep github.com/gorilla/sessions v1.2.1 h1:DHd3rPN5lE3Ts3D8rKkQ8x/0kqfeNmBAaiSi+o7FsgI=
dep github.com/kataras/jwt v0.1.8 h1:u71baOsYD22HWeSOg32tCHbczPjdCk7V4MMeJqTtmGk=
dep github.com/rs/zerolog v1.15.0 h1:uPRuwkWF4J6fGsJ2R0Gn2jB1EQiav9k3S6CSdygQJXY=
dep golang.org/x/net v0.0.0-20190620200207-3b0461eec859 h1:R/3boaszxrf1GEUWTVDzSKVwLmSJpwZ1yqXm8j0v2QI=
dep golang.org/x/sys v0.0.0-20200122134326-e047566fdf82 h1:ywK/j/KkyTHcdyYSZNXGjMwgmDSfjglYZ3vStQ/gSCU=
dep paloaltonetworks.com/libs v0.0.0
=> ../libs
Show threadXebulun EnEssEitch
@alizthehax0r @filippo @hdm @moloch
(from a 10.2.8 vmseries via google cloud)
Apr 18, 2024 at 10:27amWeb