CVE-2024-3400 PAN-OS: OS Command Injection Vulnerability in GlobalProtect Gateway
A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.
Fixes for PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 are in development and are expected to be released by April 14, 2024. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability. All other versions of PAN-OS are also not impacted.
| Versions | Affected | Unaffected |
|---|---|---|
| Cloud NGFW | None | All |
| PAN-OS 11.1 | < 11.1.2-h4 | >= 11.1.2-h4 (ETA: By 4/14) |
| PAN-OS 11.0 | < 11.0.4-h4 | >= 11.0.4-h4 (ETA: By 4/14) |
| PAN-OS 10.2 | < 10.2.9-h4 | >= 10.2.9-h4 (ETA: By 4/14) |
| PAN-OS 10.1 | None | All |
| PAN-OS 10.0 | None | All |
| PAN-OS 9.1 | None | All |
| PAN-OS 9.0 | None | All |
| Prisma Access | None | All |
This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls with the configurations for both GlobalProtect gateway and device telemetry enabled.
You can verify whether you have a GlobalProtect gateway configured by checking for entries in your firewall web interface (Network > GlobalProtect > Gateways) and verify whether you have device telemetry enabled by checking your firewall web interface (Device > Setup > Telemetry).
CVSSv4.0 Base Score: 10 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:Y/R:U/V:C/RE:M/U:Red)
Palo Alto Networks is aware of a limited number of attacks that leverage the exploitation of this vulnerability.
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
This issue will be fixed in hotfix releases of PAN-OS 10.2.9-h4 (ETA: By 4/14), PAN-OS 11.0.4-h4 (ETA: By 4/14), and PAN-OS 11.1.2-h4 (ETA: By 4/14), and in all later PAN-OS versions.
Recommended Mitigation: Customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 95187 (introduced in Applications and Threats content version 8833-8682).
In addition to enabling Threat ID 95187, customers must ensure vulnerability protection has been applied to their GlobalProtect interface to prevent exploitation of this issue on their device. Please see https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/ta-p/340184 for more information.
If you are unable to apply the Threat Prevention based mitigation at this time, you can still mitigate the impact of this vulnerability by temporarily disabling device telemetry until the device is upgraded to a fixed PAN-OS version. Once upgraded, device telemetry should be re-enabled on the device.
Please see the following page for details on how to temporarily disable device telemetry: https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/device-telemetry/device-telemetry-configure/device-telemetry-disable.
Palo Alto Networks is aware of a limited number of attacks that leverage the exploitation of this vulnerability.
Customers are able to open a case in the Customer Support Portal (CSP) and upload a technical support file (TSF) to determine if their device logs match known indicators of compromise (IoC) for this vulnerability.
Vulmon