CVE-2024-3400 PAN-OS: OS Command Injection Vulnerability
A critical command injection vulnerability has been identified in the GlobalProtect feature of Palo Alto Networks PAN-OS software, affecting certain PAN-OS versions and unique feature setups. This flaw could potentially allow an unauthorized attacker to execute arbitrary code with root privileges on the firewall. Rated with a CVSS Base Score of 9.8 out of 10, it demands immediate attention and mitigation measures.
Description
CVE-2024-3400 represents a command injection vulnerability within the GlobalProtect feature of Palo Alto Networks PAN-OS software. It has the potential to enable an unauthorized attacker to execute arbitrary code with root privileges on susceptible firewalls.
While there are no other technical details about the nature of the attacks Palo Alto Networks also said that the issue is applicable only to firewalls that have the configurations for both GlobalProtect gateway (Network > GlobalProtect > Gateways) and device telemetry (Device > Setup > Telemetry) enabled.
The company has acknowledged its awareness of a restricted set of attacks that exploit this vulnerability. Although the exploitation of the vulnerability can be automated, Obrela’s Threat Intelligence team has not yet discovered any publicly available exploits. Nonetheless, we are actively investigating the matter further.
Affected Versions
The flaw impacts the following versions of PAN-OS, with fixes expected to be released on April 14, 2024.
- PAN-OS < 11.1.2-h3
- PAN-OS < 11.0.4-h1
- PAN-OS < 10.2.9-h1
Recommendations
Palo Alto Networks advises customers subscribed to Threat Prevention to activate Threat ID 95187 for enhanced security against potential threats. Additionally, it’s recommended to implement a vulnerability protection security profile on the GlobalProtect interface to thwart any attempts to exploit this issue on their device. If these steps aren’t feasible, mitigating the vulnerability’s impact can be achieved by temporarily disabling device telemetry until the hotfix is applied, after which it should be re-enabled.