About:
RedLegg will occasionally communicate vulnerabilities released outside the usual release schedule to provide additional value to our customers. These emergency bulletins describe vulnerabilities or threats we classify as the highest severity level and warrant out-of-band emergency patching or mitigation action.
Executive Summary
On April 12, 2024, Palo Alto Networks published details related to a vulnerability (CVE-2024-3400) affecting PAN-OS devices running PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 for firewalls with GlobalProtect gateway and telemetry features enabled. CVE-2024-3400 allows for unauthenticated command injection, allowing adversaries to remotely execute arbitrary commands on PAN-OS devices with GlobalProtect and telemetry enabled with root privileges. This vulnerability has been reported by CISA and Volexity to actively being exploited in the wild as early as April 10, 2024. If you believe that you have been affected by attacks leveraging this vulnerability, Palo Alto recommends uploading a technical support file to their Customer Support Portal to identify if you have been affected or not.
VULNERABILITIES
Palo Alto PAN-OS Command Injection Vulnerability in GlobalProtect Gateway
Identifier: CVE-2024-3400 – CVSS Score 10 (CRITICAL)
Exploit or POC: Yes (Actively Being Exploited)
Update: Palo Alto Networks Security Advisories / CVE-2024-3400
Description: CVE-2024-3400 allows for an unauthenticated user to execute arbitrary code via command injection. Palo Alto Networks has identified a command injection flaw in their GlobalProtect feature of the PAN-OS software. The successful exploitation of this vulnerability could grant an unauthenticated adversary the ability to execute arbitrary code on the impacted firewall using root user privileges.
Mitigation recommendation: Palo Alto has included detailed Workaround and Mitigation recommendations in their Palo Alto Networks Security Advisories / CVE-2024-3400. Palo Alto customers are strongly advised to apply vendor mitigation instructions disclosed above. Palo Alto customers with a Threat Prevention subscription should enable Threat Prevention Threat ID 95187 to block attacks utilizing this vulnerability.
RedLegg Action: None at this time.
