www.belgium.be Logo of the federal government

WARNING: CVE-2024-3400 IN GLOBALPROTECT GATEWAY IS ACTIVELY EXPLOITED, PATCH IMMEDIATELY!

Reference: 
Advisory #2024-53
Version: 
2.1
Affected software: 
PAN-OS 11.1: < 11.1.2-h3
PAN-OS 11.0: < 11.0.4-h1
PAN-OS 10.2: < 10.2.9-h1
Type: 
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE/CVSS: 

CVE-2024-3400
CVSS 9.8 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Date: 
15/04/2024

Sources

Risks

CVE-2024-3400 is a critical vulnerability within the GlobalProtect VPN feature of Palo Alto Networks PAN-OS software. Successful exploitation of this vulnerability allows an unauthenticated attacker to gain root access to the PAN-OS device and execute arbitrary commands. This implies an impact on the complete CIA-triad. Since this device allows access to the local network through VPN, an attacker also gains access to the internal network.

Palo Alto has disclosed this vulnerability on 12-04-2024, but a patch is planned to be released on 14/04/2024. In the meantime, it is essential to limit the attack services as much as possible to avoid potential exploitation.

Description

In order to exploit CVE-2024-3400, the GlobalProtect gateway need to be enabled on the PAN-OS device. This command injection vulnerability has the maximum severity score.

Palo Alto Networks is currently developing a security fix and aim to release it on 14/04/2024. Palo Alto did not share any technical details about the vulnerability so far, since it is not yet patched, and it has been currently exploited during a limited number of attacks.

CVE-2024-3400 is only impacting the following Palo Alto Networks PAN-OS software:

  • PAN-OS 11.1: < 11.1.2-h3
  • PAN-OS 11.0: < 11.0.4-h1
  • PAN-OS 10.2: < 10.2.9-h1

Recommended Actions

Patch

Limit the attack surface of the GlobalProtect gateway as much as possible while no security fix is released by Palo Alto and monitor all its network activity closely to detect any potential exploitation. Any network source that is not accessible by the PAN-OS device cannot be touched by a potential attacker.

Disabling the GlobalProtect gateway, until a patch is released is the most secure way to stay secure and to ensure that the device does not get compromised.

UPDATE 15/04/2024:

- CISA added the vulnerability to it's Known Exploited Vulnerability list. Confirming CVE-2024-3400 is actively exploited
- This issue is fixed in hotfix releases of PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and in all later PAN-OS versions. Hotfixes for other commonly deployed maintenance releases will also be made available to address this issue. Details below for ETAs regarding the upcoming hotfixes in PAN-OS 10.2, PAN-OS 11.0 and PAN-OS 11.1. 

- PAN-OS 10.2:
    - 10.2.9-h1 (Released 14/04/2024)
    - 10.2.8-h3 (ETA: 15/04/2024)  
    - 10.2.7-h8 (ETA: 15/04/2024)  
    - 10.2.6-h3 (ETA: 15/04/2024)  
    - 10.2.5-h6 (ETA: 16/04/2024)  
    - 10.2.3-h13 (ETA: 17/04/2024)  
    - 10.2.1-h2 (ETA: 17/04/2024)  
    - 10.2.2-h5 (ETA: 18/04/2024)  
    - 10.2.0-h3 (ETA: 18/04/2024)  
    - 10.2.4-h16 (ETA: 19/04/2024)  
- PAN-OS 11.0:
    - 11.0.4-h1 (Released 14/04/2024)
    - 11.0.3-h10 (ETA: 15/04/2024)
    - 11.0.2-h4 (ETA: 16/04/2024)
    - 11.0.1-h4 (ETA: 17/04/2024)
    - 11.0.0-h3 (ETA: 18/04/2024)
- PAN-OS 11.1:
    - 11.1.2-h3 (Released 14/04/2024)
    - 11.1.1-h1 (ETA: 16/04/2024)
    - 11.1.0-h3 (ETA: 17/04/2024)

Monitor/Detect

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.

In case of an intrusion, you can report an incident via: https://cert.be/en/report-incident
 
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.

References