This live blog contains information regarding a PAN-OS GlobalProtect Gateway vulnerability. As soon as we have an update, we’ll add it to this post. More information about possible risks and details can be found at the bottom of this blog.
Last updated on April 18, 2024.
Update April 18 2024
18:00 | Palo Alto has now made updates available to fix the vulnerability. Researchers have also published proof-of-concept (PoC) code that can demonstrate the vulnerability with feature CVE-2024-3400. In addition, Palo Alto has indicated on the website that the proof-of-concept has been made public by third parties.
Palo Alto has indicated on the website that the previously given advice to mitigate the threat by temporarily disabling Device Telemetry is no longer an effective solution. Device Telemetry does not need to be enabled to exploit this vulnerability in PAN-OS. There are also command-line interface (CLI) commands shared on the website that users can use to search for possible attempts at exploitation activity in their systems.
Update April 12 2024
13:30 | On the 12th of April 2024, Palo Alto published an Advisory in which they describe CVE-2024-3400. This vulnerability may allow an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.
Palo Alto is aware of attacks in the wild that leverage this vulnerability, but no public exploit code is available for this vulnerability. No updates are currently available to fix this vulnerability. Palo Alto has published a mitigation advice until a hotfix is released.
As the vulnerability is already exploited in the wild, combined with the (potential) exposed character of the affected solution, this vulnerability is very critical and must be remediated as soon as possible!
Background
On the 12th of April 2024, Palo Alto published an Advisory in which they describe CVE-2024-3400. This vulnerability may allow an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Palo Alto has issued mitigation advice and is working on a hotfix. This hotfix is expected to be released on the 14th of April.
Potential Risk
CVE-2024-3400 allows an unauthenticated attacker to execute arbitrary code or commands with root privileges on the firewall. The vulnerability has a CVSSv4-score of 10. The CVSS scale runs from 0 to 10. A score of 9.8 or higher is rare and implies a high risk of exploitation with high impact.
Palo Alto is aware of attacks where these vulnerabilities were exploited in the wild, but no public exploit code is available.
Advise
Vulnerability CVE-2024-3400 in the PAN-OS Global Protect Gateway exists in the following versions and can be solved by upgrading to the given versions:
| Versions | Affected versions | Unaffected versions |
| Cloud NGFW | None | All |
| PAN-OS 11.1 | < 11.1.2-h3 | >= 11.1.2-h3 (ETA: 14th of April) |
| PAN-OS 11.0 | < 11.0.4-h1 | >= 11.0.4-h1 (ETA: 14th of April) |
| PAN-OS 10.2 | < 10.2.9-h1 | >= 10.2.9-h1 (ETA: 14th of April) |
| PAN-OS 10.1 | None | All |
| PAN-OS 10.0 | None | All |
| PAN-OS 9.1 | None | All |
| PAN-OS 9.0 | None | All |
| Prisma Access | None | All |
This vulnerability is also applicable if the affected versions are configured for both GlobalProtect Gateway and device telemetry is enabled. To verify this configuration and description of the mitigation options, please check the Palo Alto write-up for instructions.
If you have a Threat Prevention subscription, the impact of vulnerability CVE-2024-3400 can also be mitigated by enabling Threat ID 95187 and ensuring vulnerability protection is applied to the GlobalProtect interface.
In case you are unable to apply the Threat Prevention based mitigation, you can temporarily disable device telemetry until the device is upgraded to a fixed PAN-OS version.
Sources
More information:
Subscribe
Do you want to be informed in time? Sign up for our technical updates
Would you like to receive these critical vulnerabilities by e-mail from now on? Enter your e-mail address below.
Tesorion uses your personal data to send out requested information and possibly for contact by telephone and for marketing and sales purposes. You can change your preferences whenever you want. Read our privacy policy for more information.
