Share this
CVE-2024-3400 Zero Day exploitation of unauthenticated remote code execution on Palo Alto
by Critical Insight on April 15, 2024
UPDATE April 17, 2024
Palo Alto has indicated that disabling device telemetry is no longer considered to be an effective mitigation. Hotfixes have been released to address this vulnerability and Palo Alto urges organizations to prioritize applying the patch.
https://security.paloaltonetworks.com/CVE-2024-3400
-----------------------------
This advisory is for organizations that use Palo Alto firewalls with GlobalProtect. If your organization does not use this platform, this notification may be discarded.
Summary
Palo Alto Networks has warned of an unpatched critical command injection vulnerability present in the PAN-OS firewall which has been seen leveraged in current exploits. This issue affects PAN-OS 10.2, 11.0, and 11.1 firewalls when both the GlobalProtect gateway and device telemetry features are enabled and may be leveraged by a remote attacker to achieve root privileges on the firewall. There is currently no patch addressing this vulnerability, but Palo Alto anticipates a patch to be released by 4/14/2024.
CVE-2024-3400 – PAN-OS: OS Command Injection Vulnerability in GlobalProtect Gateway
CVSSv3: 10.0
Affected Platforms
|
Versions |
Affected |
Unaffected |
|
Cloud NGFW |
None |
All |
|
PAN-OS 11.1 |
< 11.1.2-h3 |
>= 11.1.2-h3 (ETA: By 4/14) |
|
PAN-OS 11.0 |
< 11.0.4-h1 |
>= 11.0.4-h1 (ETA: By 4/14) |
|
PAN-OS 10.2 |
< 10.2.9-h1 |
>= 10.2.9-h1 (ETA: By 4/14) |
|
PAN-OS 10.1 |
None |
All |
|
PAN-OS 10.0 |
None |
All |
|
PAN-OS 9.1 |
None |
All |
|
PAN-OS 9.0 |
None |
All |
|
Prisma Access |
None |
All |
Network Traffic Analysis (by Volexity)
Volexity initially identified activity that led to the discovery of the Palo Alto Networks GlobalProtect firewall device exploitation via an alert for malicious network requests generated by Volexity's NSM sensors. Review of network traffic logs for outbound connections originating from the GlobalProtect firewall device, as well as destined for the device, can help identify anomalous activity. Example activity that Volexity observed from compromised GlobalProtect devices includes the following:
- Direct-to-IP HTTP requests to download files noted in the previous section via wget
While it would not be uncommon to observe wget requests for files in a larger environment, this type of request originating from the firewall device is not something Volexity has observed outside of the attacker activity. - SMB / RDP connections to multiple systems across the environment, originating from the GlobalProtect appliance
- SMB file transfers of Google Chrome or Microsoft Edge browser data or the ntds.dit file
- HTTP request for the URL worldtimeapi[.]org/api/timezone/etc/utc originating from the Global Protect appliance
While this hostname is legitimate, in both occurrences of compromise an HTTP GET request to this URL was observed. This does not appear to be a commonly occurring network request.
Mitigations
Customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 95187 (introduced in Applications and Threats content version 8833-8682).
In addition to enabling Threat ID 95187, customers must ensure vulnerability protection has been applied to their GlobalProtect interface to prevent exploitation of this issue on their device. Please see https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/ta-p/340184 for more information.
If you are unable to apply the Threat Prevention based mitigation at this time, you can still mitigate the impact of this vulnerability by temporarily disabling device telemetry until the device is upgraded to a fixed PAN-OS version. Once upgraded, device telemetry should be re-enabled on the device. https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/device-telemetry/device-telemetry-configure/device-telemetry-disable
Additional Resources