A severe command injection flaw, CVE-2024-3400, has been identified in the GlobalProtect gateway feature of certain Palo Alto Networks PAN-OS versions.
This vulnerability, which enables an unauthenticated attacker to execute arbitrary code with root privileges on affected devices, is currently under active exploitation and threatens 82,000 endpoints globally, according to Japanese researchers.
This critical issue was discovered by cybersecurity firm Volexity during routine network defense monitoring. The vulnerability exists in PAN-OS versions 10.2, 11.0, and 11.1 when configured with both the GlobalProtect gateway and device telemetry enabled. These specific setups facilitate a high-risk exposure, where no user interaction or special privileges are required for exploitation.
Palo Alto Networks has acknowledged a limited number of attacks exploiting this flaw. The compromised versions and configurations allow attackers, through network access, to inject commands and potentially take control of the firewall system. This vulnerability has received the highest severity score of 10 due to its potential impact on the confidentiality, integrity, and availability of the products.
Impact and mitigation
The affected versions are:
- PAN-OS 10.2: versions below 10.2.9-h1
- PAN-OS 11.0: versions below 11.0.4-h1
- PAN-OS 11.1: versions below 11.1.2-h3
Hotfixes for these versions are scheduled for release by April 14, 2024. Systems operating on other versions or configurations, such as Cloud NGFW, Panorama appliances, and Prisma Access, remain unaffected.
Palo Alto Networks recommends enabling Threat ID 95187 for customers with a Threat Prevention subscription. This measure blocks the identified attack patterns. Additionally, applying vulnerability protection directly to the GlobalProtect interface is advised to shield devices until updates become available. Disabling device telemetry is suggested for immediate but temporary protection until the updates are installed.
Palo Alto Networks has provided detailed guidance for users to check their configurations and apply necessary security measures through their customer support portal. They also offer a method for users to verify if their devices have been compromised by comparing device logs with known indicators of compromise.
All organizations using the affected versions of PAN-OS are urged to take immediate action to mitigate the risk posed by CVE-2024-3400. Applying the recommended security settings and planning for prompt installation of the forthcoming patches are critical steps in protecting their networks against potential breaches and maintaining the security integrity of their systems.
Flaw in TP-Link Routers Allows Arbitrary Resets to Factory Settings
Leave a Reply