Critical OS Command Injection Vulnerability in Palo Alto’s GlobalProtect Gateway: CVE-2024-3400. The patch is not available yet.
Palo Alto Networks, a leading provider of network security solutions, has recently disclosed a critical vulnerability in its GlobalProtect Gateway feature, which is part of the PAN-OS software.
The vulnerability, tracked as CVE-2024-3400, has a severity rating of 10 and is classified as a CRITICAL issue. It is an OS Command Injection vulnerability that could potentially allow an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.
What is GlobalProtect Gateway?
GlobalProtect Gateway is a feature in Palo Alto Networks’ PAN-OS software that provides secure remote access for users and devices. It enables organizations to extend their network security policies to remote users and devices, ensuring that they are protected regardless of their location.
What is the nature of the vulnerability CVE-2024-3400?
The vulnerability, CVE-2024-3400, is a command injection vulnerability in the GlobalProtect feature of Palo Alto Networks’ PAN-OS software. It affects specific PAN-OS versions and distinct feature configurations, enabling an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.
Which versions of PAN-OS are affected?
The vulnerability affects PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1. The products, Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.
All other versions of PAN-OS except the ones mentioned are also not impacted.
Are there any fixes available for the affected versions?
Fixes for these versions are in development and are expected to be released by April 14, 2024.
Are there any workarounds or mitigations available?
Yes, users with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 95187 (introduced in Applications and Threats content version 8833-8682).
Additionally, users must ensure vulnerability protection has been applied to their GlobalProtect interface to prevent exploitation of this issue on their device. If users are unable to apply the Threat Prevention-based mitigation at this time, they can still mitigate the impact of this vulnerability by temporarily disabling device telemetry until the device is upgraded to a fixed PAN-OS version.
Once upgraded, device telemetry should be re-enabled on the device.
Has this vulnerability been exploited in the wild?
Palo Alto Networks shares that they are aware of a limited number of attacks that leverage the exploitation of this vulnerability.
How can you determine if their device is impacted?
Users can verify whether they have a GlobalProtect gateway configured by checking for entries in their firewall web interface (Network > GlobalProtect > Gateways) and verify whether they have device telemetry enabled by checking their firewall web interface (Device > Setup > Telemetry).
Strength your security posture with SOCRadar’s Attack Surface Management and Vulnerability Intelligence Modules
The CVE-2024-3400 vulnerability in Palo Alto Networks’ GlobalProtect Gateway feature is a serious issue that could potentially allow unauthenticated attackers to execute arbitrary code with root privileges on the firewall. Organizations using PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 are advised to apply the necessary fixes as soon as they become available. In the meantime, implementing the recommended mitigations can help protect against potential exploitation of this vulnerability.
SOCRadar Vulnerability Intelligence
It is crucial for organizations to stay proactive in identifying and addressing vulnerabilities in their systems. SOCRadar’s Attack Surface Management and Vulnerability Intelligence Modules can help organizations stay ahead of threats by continuously monitoring their attack surface, identifying potential vulnerabilities, and providing actionable insights to strengthen their security posture.
