CVE-2024-3400 PAN-OS: OS Command Injection Vulnerability in GlobalProtect

CVE-2024-3400 PAN-OS: OS Command Injection Vulnerability in GlobalProtect

9272
Created On 04/15/24 16:21 PM - Last Modified 04/30/24 18:43 PM


Question


A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.

Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.

Customers should continue to monitor this security advisory for the latest updates and product guidance.

Environment


  • PAN-OS
  • GlobalProtect
  • CVE-2024-3400

Answer


For latest updates see  CVE-2024-3400 PAN-OS: OS Command Injection Vulnerability in GlobalProtect
Product Status

 

Product Status

VersionsAffectedUnaffected
Cloud NGFW NoneAll
PAN-OS 11.1< 11.1.0-h3, < 11.1.1-h1, < 11.1.2-h3>= 11.1.0-h3, >= 11.1.1-h1, >= 11.1.2-h3
PAN-OS 11.0< 11.0.2-h4, < 11.0.3-h10, < 11.0.4-h1>= 11.0.0-h3, >= 11.0.1-h4, >= 11.0.2-h4, >= 11.0.3-h10, >= 11.0.4-h1
PAN-OS 10.2< 10.2.5-h6, < 10.2.6-h3, < 10.2.7-h8, < 10.2.8-h3, < 10.2.9-h1>= 10.2.0-h3, >= 10.2.1-h2, >= 10.2.2-h5, >= 10.2.3-h13, >= 10.2.4-h16, >= 10.2.5-h6, >= 10.2.6-h3, >= 10.2.7-h8, >= 10.2.8-h3, >= 10.2.9-h1
PAN-OS 10.1NoneAll
PAN-OS 10.0NoneAll
PAN-OS 9.1NoneAll
PAN-OS 9.0NoneAll
Prisma Access NoneAll

Required Configuration for Exposure

This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal (or both). Device telemetry does not need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability.

You can verify whether you have a GlobalProtect gateway or GlobalProtect portal configured by checking for entries in your firewall web interface (Network > GlobalProtect > Gateways or Network > GlobalProtect > Portals).

Severity: CRITICAL

CVSSv4.0 Base Score: 10 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:Y/R:U/V:C/RE:M/U:Red)

Exploitation Status

Palo Alto Networks is aware of an increasing number of attacks that leverage the exploitation of this vulnerability. Proof of concepts for this vulnerability have been publicly disclosed by third parties.

More information about the vulnerability's exploitation in the wild can be found in the Unit 42 threat brief (https://unit42.paloaltonetworks.com/cve-2024-3400/) and the Palo Alto Networks PSIRT blog post (https://www.paloaltonetworks.com/blog/2024/04/more-on-the-pan-os-cve/).

Weakness Type

 

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

CWE-20 Improper Input Validation

 

Solution

We strongly advise customers to immediately upgrade to a fixed version of PAN-OS to protect their devices even when workarounds and mitigations have been applied.

This issue is fixed in hotfix releases of PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and in all later PAN-OS versions. Hotfixes for other commonly deployed maintenance releases will also be made available to address this issue. Please see details below for ETAs regarding the upcoming hotfixes.

PAN-OS 10.2:
- 10.2.9-h1 (Released 4/14/24)
- 10.2.8-h3 (Released 4/15/24)
- 10.2.7-h8 (Released 4/15/24)
- 10.2.6-h3 (Released 4/16/24)
- 10.2.5-h6 (Released 4/16/24)
- 10.2.3-h13 (ETA: 4/17/24)
- 10.2.1-h2 (ETA: 4/17/24)
- 10.2.2-h5 (ETA: 4/18/24)
- 10.2.0-h3 (ETA: 4/18/24)
- 10.2.4-h16 (ETA: 4/19/24)

PAN-OS 11.0:
- 11.0.4-h1 (Released 4/14/24)
- 11.0.3-h10 (Released 4/16/24)
- 11.0.2-h4 (Released 4/16/24)
- 11.0.1-h4 (ETA: 4/17/24)
- 11.0.0-h3 (ETA: 4/18/24)

PAN-OS 11.1:
- 11.1.2-h3 (Released 4/14/24)
- 11.1.1-h1 (Released 4/16/24)
- 11.1.0-h3 (Released 4/16/24)

Workarounds and Mitigations

Recommended Mitigation: Customers with a Threat Prevention subscription can block attacks for this vulnerability using Threat IDs 95187, 95189, and 95191 (available in Applications and Threats content version 8836-8695 and later). Please monitor this advisory and new Threat Prevention content updates for additional Threat Prevention IDs around CVE-2024-3400.

To apply the Threat IDs, customers must ensure that vulnerability protection has been applied to their GlobalProtect interface to prevent exploitation of this issue on their device. Please see https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/ta-p/340184 for more information.

In earlier versions of this advisory, disabling device telemetry was listed as a secondary mitigation action. Disabling device telemetry is no longer an effective mitigation. Device telemetry does not need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability.

Acknowledgments

Palo Alto Networks thanks Volexity for detecting and identifying this issue.

Frequently Asked Questions

Q. Has this issue been exploited in the wild?

Palo Alto Networks is aware of an increasing number of attacks that leverage the exploitation of this vulnerability. Proof of concepts for this vulnerability have been publicly disclosed by third parties.

Q. Are there any checks I can run on my device to look for indicators of exploit activity?

The following command can be used from the PAN-OS CLI to help identify indicators of exploit activity on the device:

grep pattern "failed to unmarshal session(.\+.\/" mp-log gpsvc.log*

Benign "failed to unmarshal session" error logs typically appear like the following entry:

"message":"failed to unmarshal session(01234567-89ab-cdef-1234-567890abcdef)"

If the value between "session(" and ")" does not look like a GUID (the format shown above), but instead contains a file system path, this indicates the need for further investigation and the log entry could be related to the successful or unsuccessful exploitation of CVE-2024-3400.

Q. Has my device been compromised by this vulnerability?

Customers are able to open a case in the Customer Support Portal (CSP) and upload a technical support file (TSF) to determine if their device logs match known indicators of compromise (IoC) for this vulnerability.

Q. Where can I find additional indicators of compromise for this issue?

Please refer to the Unit42 Threat Brief (https://unit42.paloaltonetworks.com/cve-2024-3400/) and the Volexity blog post (https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/) for the latest information.

Q. Are VMs deployed and managed by customers in the cloud impacted?

While Cloud NGFW firewalls are not impacted, specific PAN-OS versions and distinct feature configurations of firewall VMs deployed and managed by customers in the cloud are impacted.

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000CrM5CAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language