A recent discovery has brought to light a critical vulnerability within Palo Alto Networks PAN-OS software, specifically affecting certain versions configured with GlobalProtect. This vulnerability, identified as CVE-2024-3400, poses a significant risk as it could potentially allow remote attackers to execute arbitrary code with root privileges on the firewall. Initial alerts flagged suspicious network activity originating from the client’s firewall, prompting a thorough investigation that confirmed the device’s compromise. The following day, April 11, 2024, Volexity detected similar exploitation at another NSM customer, attributed to the same malicious actor.

Identified as UTA0218 by Volexity, the threat actor demonstrated the ability to exploit the firewall remotely, establishing a reverse shell and deploying additional tools onto the compromised device. Their primary objective appeared to be the extraction of configuration data, subsequently utilized to navigate laterally within the victimized organizations.

In response to these incidents, Volexity collaborated closely with affected clients and Palo Alto Networks’ Product Security Incident Response Team (PSIRT) to conduct a thorough investigation. Through this partnership, the PSIRT team at Palo Alto Networks confirmed the root cause of the compromise to be an OS command injection vulnerability, now designated as CVE-2024-3400. This vulnerability, rated with a CVSS base score of 10.0, enables unauthenticated remote code execution.

Understanding the technical details and mitigations for this vulnerability is crucial for ensuring the security of affected systems.

Technical Details: The vulnerability, designated as CVE-2024-3400, manifests in the following PAN-OS versions:

• PAN-OS 11.1 versions earlier than 11.1.2-h3 (versions equal to or later than 11.1.2-h3 remain unaffected, with a patch ETA by 4/14).
• PAN-OS 11.0 versions earlier than 11.0.4-h1 (versions equal to or later than 11.0.4-h1 remain unaffected, with a patch ETA by 4/14).
• PAN-OS 10.2 versions earlier than 10.2.9-h1 (versions equal to or later than 10.2.9-h1 remain unaffected, with a patch ETA by 4/14).

It’s important to note that PAN-OS versions 10.1, 10.0, 9.1, and 9.0, Cloud NGFW, Panorama appliances, or Prisma Access remain unaffected by this vulnerability.

The vulnerability requires specific configurations, namely the presence of both GlobalProtect gateway and device telemetry enabled on the firewall. Users can verify the presence of these configurations through the firewall web interface.

While Palo Alto Networks has acknowledged limited exploitation of this vulnerability in the wild, detailed information regarding these attacks has not been disclosed. Additionally, no proof of concept (PoC) has been observed publicly or within underground forums as of now.

Mitigations: In response to this vulnerability, Palo Alto Networks recommends the following mitigations:

• Customers with a Threat Prevention subscription can mitigate attacks by enabling Threat ID 95187.
• Ensure vulnerability protection is applied to the GlobalProtect interface to prevent exploitation.
• If unable to apply the Threat Prevention mitigation, temporarily disable device telemetry until a patch is released. Once patched, re-enable device telemetry promptly.
• Patches addressing this vulnerability are expected to be available by April 14, 2024. Affected devices should be updated promptly upon patch availability.

Ensue Zero Trust Architecture are deployed within the organization.