Palo Alto Firewalls were affected by Exploited Vulnerability of CVE-2024-3400

Palo Alto Networks PAN-OS firewalls have been subject to an increased number of attempts at exploitation since the finding of CVE-2024-3400 on April 12, 2024.

Recently, Palo Alto Networks identified and fixed a serious flaw in the GlobalProtect function of its PAN-OS software. But again, information from the Shadowserver Foundation showed that thousands of GlobalProtect instances were still at risk.

The issue is identified as a command injection in the GlobalProtect function of PAN-OS, the operating system that runs the appliances created by Palo Alto Networks. It is tracked as CVE-2024-3400.

What is the CVE-2024-3400 Vulnerability? 

According to Palo Alto Networks’ advisory, the vulnerability (CVE-2024-3400) has the highest severity level of 10.0 on the Common Vulnerability Scoring System (CVSS) and a high degree of severity.

Palo Alto Networks Unit 42 stated in a threat brief that “a critical command injection vulnerability in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.”

An unauthorized attacker could run arbitrary code on the firewall with root access if they were to take advantage of vulnerable PAN-OS versions (PAN-OS 120.2, 11.0, and 11.1)  and distinctive configurations. This vulnerability is actively exploited in the wild. 

Palo Alto Networks initially claimed that only appliances with device telemetry enabled and the GlobalProtect gateway feature configured are at risk. They suggested turning off device telemetry as a precautionary measure.

Under Operation MidnightEclipse, Palo Alto Networks is monitoring the early exploitation of this vulnerability and reports that “an increasing number of attacks that leverage the exploitation of this vulnerability.”

Furthermore, on April 18, 2024, 22 542 potentially vulnerable Intrusion Prevention Systems (IPS) were connected to the vulnerability, according to a tweet from the nonprofit security organization Shadowserver Foundation, which collects and analyses data on illegal Internet activities.

Remediations of Palo Alto Networks Firewall Vulnerability 

Palo Alto Networks has released remediation for companies whose firewalls have been compromised by the exploitation of the vulnerability identified as CVE-2024-3400.

Customers who subscribe to Palo Alto Networks Threat Prevention service are advised to use Threat IDs 95187, 95189, and 95191 to prevent attacks related to this issue. 

 The company further recommends that to protect their devices, users update to a corrected version of PAN-OS right away.

An earlier version of Palo Alto Networks’ security warning mentioned disabling device telemetry as a supplementary mitigation option. In its revised version, however, it said that PAN-OS firewalls are susceptible to attacks linked to this vulnerability even if device telemetry is not turned on.

Customers are encouraged to update to the most recent PAN-OS hotfix if they find unsuccessful efforts at exploitation.

Organizations that discover evidence of someone testing their firewall to see if it is vulnerable must take the same action. Usually, this entails establishing an empty file on the firewall and ensuring no unauthorized instructions are performed.

Customers must not only update PAN-OS but also implement a private data reset, eliminating the danger of device data misuse if there are indications of potential data exfiltration. This entails a file like “running_config.xml” copied to a location accessible via web requests.

All affected PAN-OS versions now have patches available; however, only a few were initially provided by Palo Alto Networks.

Recommended: How to Remedy CVE-2024-3400 at the Official Site!

Moreover, statistics from the Shadowserver Foundation show that while the number of internet-exposed devices that hackers could compromise has decreased, a few thousand devices can still be affected.