Protect yourself against future threats.
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2024.2280.4
CVE-2024-3400 PAN-OS: OS Command Injection Vulnerability in GlobalProtect
Gateway
22 April 2024
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: GlobalProtect Gateway
PAN-OS
Publisher: Palo Alto Networks
Operating System: Network Appliance
Resolution: Patch/Upgrade
CVE Names: CVE-2024-3400
Original Bulletin:
https://securityadvisories.paloaltonetworks.com/CVE-2024-3400
Comment: CVSS (Max): 10.0 CVE-2024-3400 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:Y/R:U/V:C/RE:M/U:Red)
CVSS Source: Palo Alto Networks
Calculator: https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:Y/R:U/V:C/RE:M/U:Red
Palo Alto Networks is aware of an increasing number of attacks exploiting this vulnerability and publicly disclosed proof of concepts for this vulnerability.
Revision History: April 22 2024: Vendor added new Threat Prevention ID and clarified information to the advisory
April 17 2024: Palo Alto has advised that disabling device telemetry is no longer an effective mitigation
April 15 2024: Palo Alto updated bulletin to include latest remediation advice and update details
April 12 2024: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
Palo Alto Networks Security Advisories / CVE-2024-3400
CVE-2024-3400 PAN-OS: Arbitrary File Creation Leads to OS Command Injection
Vulnerability in GlobalProtect
Severity 10 . CRITICAL
Urgency HIGHEST
Response Effort MODERATE
Recovery USER
Value Density CONCENTRATED
Attack Vector NETWORK
Attack Complexity LOW
Attack Requirements NONE
Automatable YES
User Interaction NONE
Product Confidentiality HIGH
Product Integrity HIGH
Product Availability HIGH
Privileges Required NONE
Subsequent Confidentiality HIGH
Subsequent Integrity HIGH
Subsequent Availability HIGH
NVD JSON
Published 2024-04-12
Updated 2024-04-19
Reference PAN-252214
Discovered in production use
Description
A command injection as a result of arbitrary file creation vulnerability in the
GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS
versions and distinct feature configurations may enable an unauthenticated
attacker to execute arbitrary code with root privileges on the firewall.
Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this
vulnerability.
Customers should continue to monitor this security advisory for the latest
updates and product guidance.
Product Status
Versions Affected Unaffected
Cloud None All
NGFW
PAN-OS < 11.1.0-h3, < 11.1.1-h1, < >= 11.1.0-h3, >= 11.1.1-h1, >=
11.1 11.1.2-h3 11.1.2-h3
PAN-OS < 11.0.0-h3, < 11.0.1-h4, < >= 11.0.0-h3, >= 11.0.1-h4, >=
11.0 11.0.2-h4, < 11.0.3-h10, < 11.0.2-h4, >= 11.0.3-h10, >=
11.0.4-h1 11.0.4-h1
< 10.2.0-h3, < 10.2.1-h2, < >= 10.2.0-h3, >= 10.2.1-h2, >=
PAN-OS 10.2.2-h5, < 10.2.3-h13, < 10.2.2-h5, >= 10.2.3-h13, >=
10.2 10.2.4-h16, < 10.2.5-h6, < 10.2.4-h16, >= 10.2.5-h6, >=
10.2.6-h3, < 10.2.7-h8, < 10.2.6-h3, >= 10.2.7-h8, >=
10.2.8-h3, < 10.2.9-h1 10.2.8-h3, >= 10.2.9-h1
PAN-OS None All
10.1
PAN-OS None All
10.0
PAN-OS None All
9.1
PAN-OS None All
9.0
Prisma None All
Access
Required Configuration for Exposure
This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1
firewalls configured with GlobalProtect gateway or GlobalProtect portal (or
both). Device telemetry does not need to be enabled for PAN-OS firewalls to be
exposed to attacks related to this vulnerability.
You can verify whether you have a GlobalProtect gateway or GlobalProtect portal
configured by checking for entries in your firewall web interface (Network >
GlobalProtect > Gateways or Network > GlobalProtect > Portals).
Severity: CRITICAL
CVSSv4.0 Base Score: 10 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/
SI:H/SA:H/AU:Y/R:U/V:C/RE:M/U:Red)
Exploitation Status
Palo Alto Networks is aware of an increasing number of attacks that leverage
the exploitation of this vulnerability. Proof of concepts for this
vulnerability have been publicly disclosed by third parties.
More information about the vulnerability's exploitation in the wild can be
found in the Unit 42 threat brief: https://unit42.paloaltonetworks.com/
cve-2024-3400/.
Weakness Type
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command
Injection')
Solution
We strongly advise customers to immediately upgrade to a fixed version of
PAN-OS to protect their devices even when workarounds and mitigations have been
applied.
This issue is fixed in PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3,
and in all later PAN-OS versions. Customers who upgrade to these versions will
be fully protected.
In addition, to provide the most seamless upgrade path for customers,
additional hotfixes have been made available as a courtesy for other commonly
deployed maintenance releases.
PAN-OS 10.2:
- 10.2.9-h1 (Released 4/14/24)
- 10.2.8-h3 (Released 4/15/24)
- 10.2.7-h8 (Released 4/15/24)
- 10.2.6-h3 (Released 4/16/24)
- 10.2.5-h6 (Released 4/16/24)
- 10.2.4-h16 (Released 4/18/24)
- 10.2.3-h13 (Released 4/18/24)
- 10.2.2-h5 (Released 4/18/24)
- 10.2.1-h2 (Released 4/18/24)
- 10.2.0-h3 (Released 4/18/24)
PAN-OS 11.0:
- 11.0.4-h1 (Released 4/14/24)
- 11.0.4-h2 (Released 4/17/24)
- 11.0.3-h10 (Released 4/16/24)
- 11.0.2-h4 (Released 4/16/24)
- 11.0.1-h4 (Released 4/18/24)
- 11.0.0-h3 (Released 4/18/24)
PAN-OS 11.1:
- 11.1.2-h3 (Released 4/14/24)
- 11.1.1-h1 (Released 4/16/24)
- 11.1.0-h3 (Released 4/16/24)
Workarounds and Mitigations
Recommended Mitigation: Customers with a Threat Prevention subscription can
block attacks for this vulnerability using Threat IDs 95187, 95189, and 95191
(available in Applications and Threats content version 8836-8695 and later).
Please monitor this advisory and new Threat Prevention content updates for
additional Threat Prevention IDs around CVE-2024-3400.
To apply the Threat IDs, customers must ensure that vulnerability protection
has been applied to their GlobalProtect interface to prevent exploitation of
this issue on their device. Please see https:// live.paloaltonetworks.com/t5/
globalprotect-articles/applying-
vulnerability-protection-to-globalprotect-interfaces/ta-p/340184 for more
information.
In earlier versions of this advisory, disabling device telemetry was listed as
a secondary mitigation action. Disabling device telemetry is no longer an
effective mitigation. Device telemetry does not need to be enabled for PAN-OS
firewalls to be exposed to attacks related to this vulnerability.
Acknowledgments
Palo Alto Networks thanks Volexity for detecting and identifying this issue and
thanks the Capability Development Group at Bishop Fox for helping us improve
threat prevention signatures
Frequently Asked Questions
Q.Has this issue been exploited in the wild?
Palo Alto Networks is aware of an increasing number of attacks that
leverage the exploitation of this vulnerability. Proof of concepts for this
vulnerability have been publicly disclosed by third parties.
Q.Are there any checks I can run on my device to look for evidence of attempted
exploit activity?
The following command can be used from the PAN-OS CLI to help identify if
there was an attempted exploit activity on the device:
grep pattern "failed to unmarshal session(.\+.\/" mp-log gpsvc.log*
If the value between "session(" and ")" does not look like a GUID, but
instead contains a file system path or embedded shell commands, this could
be related to an attempted exploitation of CVE-2024-3400, which will
warrant further investigation to correlate with other indicators of
compromise.
Grep output indicating an attempted exploit may look like the following
entry:
failed to unmarshal session(../../some/path)
Grep output indicating normal behavior will typically appear like the
following entry:
failed to unmarshal session(01234567-89ab-cdef-1234-567890abcdef)
Q.Has my device been compromised by this vulnerability?
Customers are able to open a case in the Customer Support Portal (CSP) and
upload a technical support file (TSF) to determine if their device logs
match known attempted exploits for this vulnerability.
Q.Where can I find additional indicators of compromise for this issue?
Please refer to the Unit42 Threat Brief (https://
unit42.paloaltonetworks.com/cve-2024-3400/) and the Volexity blog post (
https:// www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-
unauthenticated-remote-code-execution-vulnerability-in-globalprotect-
cve-2024-3400/) for the latest information.
Q.Are VMs deployed and managed by customers in the cloud impacted?
While the Cloud NGFW managed services on AWS and Azure are not impacted,
VM-Series managed by customers and with specific PAN-OS versions and Global
Protect configurations are impacted.
Timeline
2024-04-19 Clarified vulnerability title and description
2024-04-18 Clarified FAQ regarding evidence of attempted exploit activity
2024-04-17 Added new Threat Prevention Threat ID to Workarounds and Mitigations
2024-04-17 Added a CLI command to search for possible attempts of exploit
activity
2024-04-17 Updated product and mitigation guidance, exploit status, and PAN-OS
fix availability
2024-04-15 All necessary PAN-OS fixes are now available, clarified Workarounds
and Mitigations when using Panorama templates
2024-04-14 Clarified impact on GlobalProtect portal configurations
2024-04-13 Added link to Unit42 threat brief and clarified impact to
customer-managed VMs in the cloud
2024-04-12 Initial publication
Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure
PolicyReport vulnerabilitiesManage subscriptions
(C) 2024 Palo Alto Networks, Inc. All rights reserved.
- --------------------------END INCLUDED TEXT----------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================