Critical Vulnerability in Palo Alto Global Protect (CVE-2024-3400)

Palo Alto Networks has released a security advisory related to critical vulnerability with a CVSS score of 10, currently exploited in the wild in a limited number of attacks.

Tracked as CVE-2024-3400, this vulnerability, which is within the GlobalProtect feature of Palo Alto Networks PAN-OS, could allow malicious actors to execute arbitrary code with root privileges on the firewall.

In collaboration with Palo Alto Networks and their threat researcher team, Unit42 has exposed the malicious campaign named ‘Operation MidnightEclipse,’ providing TTPs and IoCs used within it. Additionally, the Volexity Threat Research team attributes the campaign to a threat actor known as ‘UTA0218’.

_____________________________

A. Nature of the Vulnerability

CVE-2024-3400

A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.

_____________________________

B. Affected Version

Versions	Affected Version
PAN-OS 10.2	< 10.2.9-h1
PAN-OS 11.0	< 11.0.4-h1
PAN-OS 11.1	< 11.1.2-h3

Note: This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal (or both) and device telemetry enabled.

You can verify whether you have a GlobalProtect gateway or GlobalProtect portal configured by checking for entries in your firewall web interface (Network > GlobalProtect > Gateways or Network > GlobalProtect > Portals) and verify whether you have device telemetry enabled by checking your firewall web interface (Device > Setup > Telemetry).

_____________________________

C. Actions to be Taken

CERT-PH recommends the following actions be taken:

Kindly review and apply the necessary updates/workaround to mitigate future threats.
Security administrators may review the TTPs(Tactics, Techniques, and Procedures) and IOCs(Indicators of Compromise) on the monitored malicious campaign for detection and prevention.
- https://unit42.paloaltonetworks.com/cve-2024-3400/
- https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/
For additional information, kindly refer to the official report.
- https://security.paloaltonetworks.com/CVE-2024-3400