Active Exploitation of Critical Vulnerability in Palo Alto Networks PAN-OS Software

Published on 12 Apr 2024

[Update on 17 Apr 2024]


Palo Alto Networks has released hotfixes addressing a critical vulnerability (CVE-2024-3400) affecting their PAN-OS software used in its GlobalProtect gateways. The vulnerability has a Common Vulnerability Scoring System (CVSSv3) score of 10.0 and is reportedly being actively exploited.

Successful exploitation of the command injection vulnerability in the GlobalProtect feature could enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. 

The vulnerability affects the following products:
  • PAN-OS versions 11.1 prior to 11.1.2-h3
  • PAN-OS versions 11.0 prior to 11.0.4-h1
  • PAN-OS versions 10.2 prior to 10.2.9-h1

The vulnerability affects firewalls that have the configurations for GlobalProtect gateway or GlobalProtect portal (or both). Device telemetry does not need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability. 

To verify if GlobalProtect gateway or GlobalProtect portal is configured, check for entries in firewall web interface (Network > GlobalProtect > Gateways or Network > GlobalProtect > Portals).

Palo Alto Networks has released hotfix releases for PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and in all later PAN-OS versions. Users and administrators of affected versions are strongly advised to upgrade to a fixed version of PAN-OS immediately.

In the meantime, users and administrators with Palo Alto Networks' Threat Prevention Subscription are advised to enable Threat ID 95187 and 95189 (available in Applications and Threats content version 8835-8689 and later) to block attacks. Users and administrators are also advised to ensure vulnerability protection has been applied to their GlobalProtect interface. 

In an earlier version of this alert, disabling device telemetry was listed as a secondary mitigation action. Disabling device telemetry is no longer an effective mitigation.

 

More information is available here:

https://security.paloaltonetworks.com/CVE-2024-3400

https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/ta-p/340184

https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/device-telemetry/device-telemetry-configure/device-telemetry-disable

https://thehackernews.com/2024/04/zero-day-alert-critical-palo-alto.html

 

Tags
Alerts Alerts & Advisories
Share