Updated:
Status:
CVEs:
Fortra is investigating a command injection vulnerability in the GlobalProtect Gateway in Palo Alto PAN-OS – CVE-2024-3400. The command injection allows an unauthenticated attacker to execute code on the device with root privileges. The vendor has announced mitigations for this vulnerability and is actively working on patches that are scheduled to be released on 04/14/2024.
Who is affected?
The following versions of PAN-OS are vulnerable to CVE-2024-3400.
- PAN-OS 11.1 before PAN-OS 11.1.2-h3
- PAN-OS 11.0 before PAN-OS 11.0.4-h1
- PAN-OS 10.2 before PAN-OS 10.2.9-h1
What can I do?
Palo Alto customers are advised to upgrade to a fixed version of PAN-OS as soon as possible. This issue is fixed in hotfix releases of PAN-OS 10.2.9-h1, PAN-OS 11.0.1-h1, PAN-OS 11.1.2-h3, and in all later PAN-OS versions. Hotfixes for other commonly deployed maintenance releases will also be made available to address this issue.
Palo Alto customers can also upload their technical support files to the Palo Alto Customer Support Portal to determine if their device logs match known indicators of compromise (IoCs) for the vulnerability.
For a full list of fixed versions (both released and planned) and for more information about the vulnerability, refer to Palo Alto’s advisory.
How is Fortra helping me?
Fortra is actively researching this threat to build detection capabilities in addition to those listed below.
Alert Logic Network IDS: Alert Logic has released IDS telemetry signatures to aid in detection research.
Alert Logic Vulnerability Scanning: Alert Logic released authenticated scan coverage on April 18, 2024, to identify vulnerable instances. If the vulnerability is found, an exposure (EID: 261077) will be raised for CVE-2024-3400.
Core Impact: A checker for CVE-2024-3400 was delivered to customers on May 22, 2024 - "Palo Alto PAN-OS GlobalProtect Unmarshal Reflection Vulnerability Checker" CVSS 10 Critical.
An unmarshal reflection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software allows unauthenticated remote attackers to create empty arbitrary directories and files in the operating system. If device telemetry is enabled, then remote OS command injection is possible via the dt_curl python module, tested against Palo Alto PA-VM 1.0.0. This module performs the vulnerability verification in three steps:
- The first step performs a control check using a random filename against the /images directory. Since this file shouldn't exist in the target webapp, the webserver will return a 404 HTTP code.
- The second step consists of using the vulnerability to try to create the file in the given location.
- The final step performs the first step again. If the file exists, then a 403 HTTP code is returned, proving that the file was created with the vulnerability. Any other HTTP code will be taken as the target system not being vulnerable.
FortraVM: Fortra VM Network Scanner 4.41.0, released on April 29, 2024, contains a new authenticated check for CVE-2024-3400: Palo Alto PAN-OS Security Advisory: PAN-252214 (159375). Additionally, Fortra VM Network Scanner 4.41.1, released on May 2, 2024, contains a new unauthenticated check for the same CVE: Palo Alto Networks GlobalProtect Command Injection (159385).
Tripwire IP360: Tripwire released authenticated scan coverage on April 24, 2024, to identify vulnerable instances. If the vulnerability is found, vulnerability 614123 will match for CVE-2024-3400.
Updates
Fortra has kicked off the Emerging Threat process for this vulnerability. This article will be updated with new information about this vulnerability and related Fortra coverage as it becomes available.
04/17/2024: Several hotfixes have been released by Palo Alto, and customers are encouraged to update to a fixed version as soon as possible. Additionally, Alert Logic has released IDS telemetry signatures to aid in detection research.
04/18/2024: Alert Logic released authenticated scan coverage to identify vulnerable instances. If the vulnerability is found, an exposure will be raised for CVE-2024-3400.
