Threat Response - Critical Vulnerability in PAN-OS GlobalProtect - CVE-2024-3400

Dear Reader,

On 12 April 2024, Palo Alto warned about a critical command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software. Vulnerable PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. [1]

Description

GlobalProtect is a VPN platform by Palo Alto. The GlobalProtect gateways provide security enforcement for traffic from the GlobalProtect apps. [2]

This vulnerability, tracked as CVE-2024-3400, affects firewalls for PAN-OS versions:

• 11.1 (< 11.1.2-h3)
• 11.0 (< 11.0.4-h1)
• 10.2 (< 10.2.9-h1)

provided the configurations for both GlobalProtect gateway and device telemetry enabled. [1]

Please note that at the time of writing the latest version is still vulnerable and that telemetry is enabled by default starting with v11. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.

As stated previously, this is a command injection vulnerability that allows attackers to execute code with root privileges on the firewall. Accordingly, its CVSS v4.0 score is 10.0.

Attackers can exploit this vulnerability via the internet without any special privileges. Since the vulnerability is easy to exploit, mass exploitation in the near future is likely. Palo Alto expects to release a patch for PanOS to mitigate this vulnerability by Sunday, April 14 2024.

Impact

We estimate the impact of these vulnerabilities as HIGH because the successful exploitation of this vulnerability could result in unauthenticated remote code execution. This scenario opens the door for attackers to craft malicious requests and execute arbitrary code with root privileges on the vulnerable firewalls.

Risk

We estimate the risk of this vulnerability as HIGH given the “Low” attack complexity, and the fact that the product is typically deployed at the edge of the network.

Mitigation

At the time of writing, Palo Alto has put out a statement mentioning that a hotfix for patching the vulnerability would be released by the 14th of April, 2024. However, they have also mentioned the following workaround/solution to be followed immediately:

• Customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 95187.
• In addition to enabling Threat ID 95187, customers must ensure vulnerability protection has been applied to their GlobalProtect interface. Please see [3] for more information.

If you are unable to apply the Threat Prevention based mitigation at this time, you can still mitigate the impact of this vulnerability by temporarily disabling device telemetry until the device is upgraded to a fixed PAN-OS version. Once upgraded, device telemetry should be re-enabled on the device.

Please see the following page for details on how to temporarily disable device telemetry [4].

What should you do?

If you’re using a vulnerable version of PanOS that acts as a GlobalProtect gateway, check whether telemetry is enabled. If so, follow the mitigation steps above to disable telemetry immediately, and install the patch on April 14, or as soon as it is released.

What will Northwave do?

We will monitor any developments regarding this vulnerability. If new critical information about this threat arises we will reach out to you. You can call us by phone or send us an email if you would like additional information.

E-mail: soc@northwave.nl 
Do you have an incident right now? Call our Incident Response Team: 00800 1744 0000

Disclaimer applies, see below.