THE THREAT
On April 12, 2024, Palo Alto Networks disclosed a critical actively exploited vulnerability in Palo Alto Networks’ firewalls. Tracked as CVE-2024-3400 (CVSS: 10), this is a command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software. Exploitation of CVE-2024-3400 would allow an unauthenticated remote attacker to execute arbitrary code with root privileges on the firewall.
The vulnerability was reported to Palo Alto by Volexity; the company confirmed that exploitation was observed across multiple organizations. Security patches to address CVE-2024-3400 are not currently available. As such, it is critical that organizations apply the available mitigations immediately.
What we’re doing about it
- eSentire Managed Vulnerability Service (MVS) has plugins in place to identify devices vulnerable to CVE-2024-3400
- The Threat Response Unit (TRU) is performing threat hunts across the eSentire customer base for known Indicators of Compromise (IoCs)
- The eSentire Threat Intelligence team is actively tracking this topic for additional details and detection opportunities
What you should do about it
- Once security patches are made available (April 14th, 2024) they should be applied immediately
- Until security patches are released, disable Device Telemetry to prevent exploitation
- Enable Vulnerability Protection for the GlobalProtect interface
- Organizations that subscribe to Palo Alto Threat Prevention should enable Threat ID 95187 to block attacks
Additional information
CVE-2024-3400 resides in the PAN-OS operating system; it specifically impacts PAN-OS versions 10.2, 11.0, and 11.1. The following “hotfixes” are set to be released on April 14th to address the vulnerability: PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, and PAN-OS 11.1.2-h3. Palo Alto Networks Panorama appliances, Cloud NGFW, and Prisma Access solutions are not impacted.
According to Volextity, initial exploitation of the vulnerability was first identified on April 10, although it is possible that attacks were ongoing prior to this date. Details on real-world exploitation have not been publicly shared at this time. As real-world attacks have been confirmed, it is critical that impacted organizations apply the available mitigations immediately, until security patches are made available.
References:
[1]
https://security.paloaltonetworks.com/CVE-2024-3400[2]
https://nvd.nist.gov/vuln/detail/CVE-2024-3400[3]
https://twitter.com/stevenadair/status/1778724526274052445[4]
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/device-telemetry/device-telemetry-configure/device-telemetry-disable[5]
https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/ta-p/340184
