UPDATE April 17, 2024
Palo Alto has indicated that disabling device telemetry is no longer considered to be an effective mitigation. Hotfixes have been released to address this vulnerability and Palo Alto urges organizations to prioritize applying the patch.
https://security.paloaltonetworks.com/CVE-2024-3400
-----------------------------
This advisory is for organizations that use Palo Alto firewalls with GlobalProtect. If your organization does not use this platform, this notification may be discarded.
Summary
Palo Alto Networks has warned of an unpatched critical command injection vulnerability present in the PAN-OS firewall which has been seen leveraged in current exploits. This issue affects PAN-OS 10.2, 11.0, and 11.1 firewalls when both the GlobalProtect gateway and device telemetry features are enabled and may be leveraged by a remote attacker to achieve root privileges on the firewall. There is currently no patch addressing this vulnerability, but Palo Alto anticipates a patch to be released by 4/14/2024.
CVE-2024-3400 – PAN-OS: OS Command Injection Vulnerability in GlobalProtect Gateway
CVSSv3: 10.0
Affected Platforms
Versions |
Affected |
Unaffected |
Cloud NGFW |
None |
All |
PAN-OS 11.1 |
< 11.1.2-h3 |
>= 11.1.2-h3 (ETA: By 4/14) |
PAN-OS 11.0 |
< 11.0.4-h1 |
>= 11.0.4-h1 (ETA: By 4/14) |
PAN-OS 10.2 |
< 10.2.9-h1 |
>= 10.2.9-h1 (ETA: By 4/14) |
PAN-OS 10.1 |
None |
All |
PAN-OS 10.0 |
None |
All |
PAN-OS 9.1 |
None |
All |
PAN-OS 9.0 |
None |
All |
Prisma Access |
None |
All |
Network Traffic Analysis (by Volexity)
Volexity initially identified activity that led to the discovery of the Palo Alto Networks GlobalProtect firewall device exploitation via an alert for malicious network requests generated by Volexity's NSM sensors. Review of network traffic logs for outbound connections originating from the GlobalProtect firewall device, as well as destined for the device, can help identify anomalous activity. Example activity that Volexity observed from compromised GlobalProtect devices includes the following:
Mitigations
Customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 95187 (introduced in Applications and Threats content version 8833-8682).
In addition to enabling Threat ID 95187, customers must ensure vulnerability protection has been applied to their GlobalProtect interface to prevent exploitation of this issue on their device. Please see https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/ta-p/340184 for more information.
If you are unable to apply the Threat Prevention based mitigation at this time, you can still mitigate the impact of this vulnerability by temporarily disabling device telemetry until the device is upgraded to a fixed PAN-OS version. Once upgraded, device telemetry should be re-enabled on the device. https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/device-telemetry/device-telemetry-configure/device-telemetry-disable
Additional Resources
https://security.paloaltonetworks.com/CVE-2024-3400