CVE-2020-1988 - Vulnerability Details - OpenCVE

An unquoted search path vulnerability in the Windows release of Global Protect Agent allows an authenticated local user with file creation privileges on the root of the OS disk (C:\) or to Program Files directory to gain system privileges. This issue affects Palo Alto Networks GlobalProtect Agent 5.0 versions before 5.0.5; 4.1 versions before 4.1.13 on Windows;

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

No CVSS v3.0

Access Vector Local

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

This CVE is not in the KEV list.

The EPSS score is 0.0013.

Key SSVC decision points have not yet been added.

Vendors	Products
Paloaltonetworks	Globalprotect

Configuration 1 [-]

OR	cpe:2.3:a:paloaltonetworks:globalprotect::::::windows::*
	cpe:2.3:a:paloaltonetworks:globalprotect::::::windows::*

No data.

No data.

Fixes

Solution

This issue is fixed in Global Protect Agent 5.0.5, Global Protect Agent 4.1.13 and all later versions.

Workaround

Do not grant file creation privileges on the root of the OS disk (C:\) or 'Program Files' directory to unprivileged users.

References

Link	Providers
https://security.paloaltonetworks.com/CVE-2020-1988

History

No history.

MITRE

Status: PUBLISHED

Assigner: palo_alto

Published: 2020-04-08T18:41:58.415618Z

Updated: 2024-09-16T18:03:55.930Z

Reserved: 2019-12-04T00:00:00

Link: CVE-2020-1988

Vulnrichment

No data.

NVD

Status : Modified

Published: 2020-04-08T19:15:13.917

Modified: 2024-11-21T05:11:47.710

Link: CVE-2020-1988

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"platforms": ["Windows"], "product": "Global Protect Agent", "vendor": "Palo Alto Networks", "versions": [{"changes": [{"at": "5.0.5", "status": "unaffected"}], "lessThan": "5.0.5", "status": "affected", "version": "5.0", "versionType": "custom"}, {"changes": [{"at": "4.1.13", "status": "unaffected"}], "lessThan": "4.1.13", "status": "affected", "version": "4.1", "versionType": "custom"}]}], "configurations": [{"lang": "en", "value": "This issue only affects Windows systems where local users are configured with file creation privileges to the root of the OS disk (C:\\) or 'Program Files' directory."}], "credits": [{"lang": "en", "value": "Palo Alto Networks thanks Ratnesh Pandey of Bromium and Matthew Batten for discovering and reporting this issue."}], "datePublic": "2020-04-08T00:00:00", "descriptions": [{"lang": "en", "value": "An unquoted search path vulnerability in the Windows release of Global Protect Agent allows an authenticated local user with file creation privileges on the root of the OS disk (C:\\) or to Program Files directory to gain system privileges. This issue affects Palo Alto Networks GlobalProtect Agent 5.0 versions before 5.0.5; 4.1 versions before 4.1.13 on Windows;"}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-428", "description": "CWE-428 Unquoted Search Path or Element", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2020-04-08T18:41:58", "orgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0", "shortName": "palo_alto"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://security.paloaltonetworks.com/CVE-2020-1988"}], "solutions": [{"lang": "en", "value": "This issue is fixed in Global Protect Agent 5.0.5, Global Protect Agent 4.1.13 and all later versions."}], "source": {"defect": ["GPC-9320"], "discovery": "EXTERNAL"}, "timeline": [{"lang": "en", "time": "2020-04-08T00:00:00", "value": "Initial publication"}], "title": "Global Protect Agent: Local privilege escalation due to an unquoted search path vulnerability", "workarounds": [{"lang": "en", "value": "Do not grant file creation privileges on the root of the OS disk (C:\\) or 'Program Files' directory to unprivileged users."}], "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "psirt@paloaltonetworks.com", "DATE_PUBLIC": "2020-04-08T16:00:00.000Z", "ID": "CVE-2020-1988", "STATE": "PUBLIC", "TITLE": "Global Protect Agent: Local privilege escalation due to an unquoted search path vulnerability"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Global Protect Agent", "version": {"version_data": [{"platform": "Windows", "version_affected": "<", "version_name": "5.0", "version_value": "5.0.5"}, {"platform": "Windows", "version_affected": "<", "version_name": "4.1", "version_value": "4.1.13"}, {"platform": "Windows", "version_affected": "!>=", "version_name": "5.0", "version_value": "5.0.5"}, {"platform": "Windows", "version_affected": "!>=", "version_name": "4.1", "version_value": "4.1.13"}]}}]}, "vendor_name": "Palo Alto Networks"}]}}, "configuration": [{"lang": "en", "value": "This issue only affects Windows systems where local users are configured with file creation privileges to the root of the OS disk (C:\\) or 'Program Files' directory."}], "credit": [{"lang": "eng", "value": "Palo Alto Networks thanks Ratnesh Pandey of Bromium and Matthew Batten for discovering and reporting this issue."}], "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An unquoted search path vulnerability in the Windows release of Global Protect Agent allows an authenticated local user with file creation privileges on the root of the OS disk (C:\\) or to Program Files directory to gain system privileges. This issue affects Palo Alto Networks GlobalProtect Agent 5.0 versions before 5.0.5; 4.1 versions before 4.1.13 on Windows;"}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-428 Unquoted Search Path or Element"}]}]}, "references": {"reference_data": [{"name": "https://security.paloaltonetworks.com/CVE-2020-1988", "refsource": "MISC", "url": "https://security.paloaltonetworks.com/CVE-2020-1988"}]}, "solution": [{"lang": "en", "value": "This issue is fixed in Global Protect Agent 5.0.5, Global Protect Agent 4.1.13 and all later versions."}], "source": {"defect": ["GPC-9320"], "discovery": "EXTERNAL"}, "timeline": [{"lang": "en", "time": "2020-04-08T00:00:00", "value": "Initial publication"}], "work_around": [{"lang": "en", "value": "Do not grant file creation privileges on the root of the OS disk (C:\\) or 'Program Files' directory to unprivileged users."}]}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T06:54:00.605Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://security.paloaltonetworks.com/CVE-2020-1988"}]}]}, "cveMetadata": {"assignerOrgId": "d6c1279f-00f6-4ef7-9217-f89ffe703ec0", "assignerShortName": "palo_alto", "cveId": "CVE-2020-1988", "datePublished": "2020-04-08T18:41:58.415618Z", "dateReserved": "2019-12-04T00:00:00", "dateUpdated": "2024-09-16T18:03:55.930Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:paloaltonetworks:globalprotect:*:*:*:*:*:windows:*:*", "matchCriteriaId": "F7EC5C47-7311-433B-B557-4713EDB75137", "versionEndExcluding": "4.1.13", "versionStartIncluding": "4.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:paloaltonetworks:globalprotect:*:*:*:*:*:windows:*:*", "matchCriteriaId": "5DB0FF9B-4A27-460D-806B-F5D54FD39E89", "versionEndExcluding": "5.0.5", "versionStartIncluding": "5.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An unquoted search path vulnerability in the Windows release of Global Protect Agent allows an authenticated local user with file creation privileges on the root of the OS disk (C:\\) or to Program Files directory to gain system privileges. This issue affects Palo Alto Networks GlobalProtect Agent 5.0 versions before 5.0.5; 4.1 versions before 4.1.13 on Windows;"}, {"lang": "es", "value": "Una vulnerabilidad de ruta de b\u00fasqueda sin comillas en la versi\u00f3n de Windows del Global Protect Agent, permite a un usuario local autenticado con privilegios de creaci\u00f3n de archivos en la root del disco del Sistema Operativo (C:\\) o al directorio Program Files para alcanzar privilegios system. Este problema afecta a Global Protect Agent de Palo Alto Networks versiones 5.0 anteriores a 5.0.5; versiones 4.1 anteriores a 4.1.13 en Windows;"}], "id": "CVE-2020-1988", "lastModified": "2024-11-21T05:11:47.710", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 7.2, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 3.9, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "LOW", "baseScore": 4.2, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 3.4, "source": "psirt@paloaltonetworks.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2020-04-08T19:15:13.917", "references": [{"source": "psirt@paloaltonetworks.com", "tags": ["Vendor Advisory"], "url": "https://security.paloaltonetworks.com/CVE-2020-1988"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://security.paloaltonetworks.com/CVE-2020-1988"}], "sourceIdentifier": "psirt@paloaltonetworks.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-428"}], "source": "psirt@paloaltonetworks.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-428"}], "source": "nvd@nist.gov", "type": "Primary"}]}