CERT-In’s advisory on Palo Alto Networks vulnerabilities and WikiLoader’s fake GlobalProtect installers highlight major security risks.

Key Takeaways

• CERT-In has issued a critical advisory highlighting vulnerabilities in multiple Palo Alto Networks applications, including GlobalProtect, Cloud NGFW, PAN-OS, and Cortex XSOAR. Concurrently, new malware distribution methods involving WikiLoader have been detected, leveraging spoofed GlobalProtect installers.
• The vulnerabilities identified include privilege escalation (CVE-2024-5915), information disclosure (CVE-2024-5916), and command injection (CVE-2024-5914). WikiLoader, a sophisticated loader, uses advanced evasion techniques such as SEO poisoning to distribute its payload.
• Specific versions of affected software and newly observed malware tactics require immediate attention. Timely updates and robust defense mechanisms are critical for mitigating these risks.
• Recommended actions include upgrading affected software, restricting access, using threat detection tools, and staying vigilant against sophisticated malware campaigns like WikiLoader.

Overview

CERT-In’s recent advisory and the emergence of WikiLoader malware highlight pressing security concerns involving Palo Alto Networks applications and new malware distribution techniques. CERT-In has pinpointed critical vulnerabilities in GlobalProtect, Cloud NGFW, PAN-OS, and Cortex XSOAR.

These vulnerabilities range from privilege escalation and information disclosure to command injection. In parallel, the WikiLoader campaign, which uses fake GlobalProtect installers for malware distribution, illustrates the increasing sophistication of cyber threats.

The vulnerabilities span multiple Palo Alto Networks applications, each with varying degrees of impact and risk. The GlobalProtect app for Windows, a widely used tool for secure remote access, is affected across several versions. Specifically, versions 6.3 < 6.3.1, 6.2 < 6.2.4, 6.1 < 6.1.5, 6.0 < 6.0.x, and 5.1 < 5.1.x are impacted.

Detailed Description of Vulnerabilities and Malware Campaign

1. Privilege Escalation Vulnerability (CVE-2024-5915)

CVE-2024-5915 is a local privilege escalation vulnerability found in the GlobalProtect app for Windows. This issue arises from an unspecified error that allows a local user to execute programs with elevated privileges, potentially compromising the entire system. The flaw can enable an attacker who already has local access to gain administrative control over the system, leading to a high risk of system-wide compromise.

The vulnerability is rated as MEDIUM, with a CVSSv4.0 Base Score of 5.2. The attack vector is local, which means that the attacker needs physical or remote desktop access to exploit the flaw. The attack complexity is low, indicating that exploiting the vulnerability does not require sophisticated techniques. The impact can be significant, leading to potential breaches of confidentiality, integrity, and availability.

The vulnerability impacts GlobalProtect App versions 6.3 < 6.3.1, 6.2 < 6.2.4, 6.1 < 6.1.5, 6.0 < 6.0.x, and 5.1 < 5.1.x. Patches and updates are planned, with updates expected by August 2024 for version 6.3.1, November 2024 for 6.0.x, and December 2024 for 5.1.x. Until updates are applied, restricting access to GlobalProtect installation directories and ensuring they are protected from non-administrative modifications is recommended.

2. Information Disclosure Vulnerability (CVE-2024-5916)

CVE-2024-5916 is an information disclosure vulnerability affecting PAN-OS and Cloud NGFW. This flaw involves the exposure of sensitive information, such as secrets, passwords, and tokens of external systems, through configuration logs. A read-only administrator with access to these logs could view sensitive data, leading to potential unauthorized access to critical systems.

This vulnerability is rated as MEDIUM, with a CVSSv4.0 Base Score of 6.0. The attack vector is network-based, meaning that an attacker can exploit the flaw remotely. The attack complexity is low, and no user interaction is required, making the vulnerability particularly concerning. The primary impact is on confidentiality, though integrity and availability are not directly affected.

PAN-OS versions 11.0 < 11.0.4, 10.2 < 10.2.8, and Cloud NGFW versions prior to August 15 on Azure and August 23 on AWS are affected. Organizations should upgrade to PAN-OS 11.0.4, 10.2.8, or later versions and ensure Cloud NGFW is updated to versions released on or after the specified dates. It is also crucial to revoke any compromised credentials to prevent unauthorized access.

3. Command Injection Vulnerability (CVE-2024-5914)

CVE-2024-5914 is a command injection vulnerability found in the Cortex XSOAR CommonScripts pack. This issue allows unauthenticated attackers to execute arbitrary commands within the context of an integration container. Command injection vulnerabilities are particularly dangerous as they can be exploited to execute arbitrary commands, potentially leading to severe security breaches.

The vulnerability has a HIGH severity rating, with a CVSSv4.0 Base Score of 7.0. The attack vector is network-based, and while the attack complexity is high, the lack of required user interaction makes it a significant threat. The impact includes substantial risks to confidentiality and integrity, with a potential low impact on availability.

The vulnerability affects versions of the Cortex XSOAR CommonScripts pack before 1.12.33. To address the issue, upgrade to version 1.12.33 or later. Additionally, removing any integration usage of the ScheduleGenericPolling or GenericPollingScheduledTask scripts can help prevent exploitation.

The WikiLoader Malware Campaign

WikiLoader is a sophisticated loader that has been observed using advanced evasion techniques to distribute malware. The loader leverages SEO poisoning and fake GlobalProtect installers to deliver its payload. This method involves spoofing legitimate software installers, which increases the likelihood of successful malware delivery.

Attackers have utilized SEO poisoning techniques to direct users to spoofed sites, such as bitbucket[.]org, where fake GlobalProtect installers containing WikiLoader components are hosted. This technique capitalizes on the high trust placed in legitimate software sources to trick users into downloading malicious payloads.

Upon infection, WikiLoader downloads and extracts additional components executes them and uses legitimate binaries for side-loading. The malware creates persistence on the system through randomized file names and employs various obfuscation methods to avoid detection.

WikiLoader includes several anti-analysis measures, such as detecting virtual machine environments to evade sandbox analysis, displaying misleading error messages, and employing obfuscation through randomized folder names. These techniques are designed to hinder detection and analysis by security tools.

Recommendations and Mitigations

To effectively address the identified vulnerabilities and new malware threats, organizations should implement the following measures:

1. To address the vulnerabilities, apply the latest patches and updates for GlobalProtect, PAN-OS, Cloud NGFW, and Cortex XSOAR. Check for updates regularly and apply them promptly.
2. Limit access to GlobalProtect installation directories and ensure that sensitive credentials in PAN-OS are protected. Revoke any compromised credentials and review access controls to prevent unauthorized access.
3. Implement and configure threat detection tools to monitor for unusual activity and signs of infection. Utilize XQL queries to identify indicators of WikiLoader and other malware behaviors.
4. Provide staff with training and awareness programs on emerging threats and security best practices. Ensure that employees are informed about the risks of downloading software from untrusted sources and the importance of verifying software integrity.
5. Conduct regular vulnerability assessments and scans to identify and address potential security weaknesses. Ensure that all updates and patches are applied in a timely manner.

Conclusion

The recent CERT-In advisory and the emergence of the WikiLoader malware campaign highlight critical vulnerabilities and evolving cyber threats. The identified vulnerabilities in Palo Alto Networks applications and the sophisticated tactics employed by WikiLoader underscore the need for proactive security measures.

By addressing the vulnerabilities through timely updates, restricting access, and employing robust defense mechanisms, organizations can significantly reduce the risk of exploitation. Additionally, staying alert against sophisticated malware campaigns and continuously improving security practices are essential for protecting systems and sensitive data. Implementing the recommended actions will help to protect against these risks and enhance the overall security posture.

Related