CVE-2024-3400: Palo Alto Vulnerabilities in GlobalProtect Gateway Lead to RCE

What Happened?

On Friday (4-12-24), Palo Alto announced a new critical vulnerability in devices running their GlobalProtect Gateway. Successful exploitation of this vulnerability leads to command injection and allows an attacker to run arbitrary code as root on the device.

Palo Alto disclosed that they are aware of a “limited number of attacks” using this vulnerability (CVE-2024-3400) in the wild. However, since this is a publicly facing service, it’s more than likely that attackers will begin to increasingly leverage this vulnerability.

Impacted Versions, Available Patches, and Workarounds

Impacted versions of PAN-OS for CVE-2024-3400 include the following:

• PAN-OS 10.2 (earlier than 10.2.9)
• PAN-OS 11.0 (earlier than 11.0.4)
• PAN-OS 11.1 (earlier than 11.1.2)

Palo Alto expects to release patches for these versions by 4-14-24.

To be exposed to this vulnerability, devices on the affected versions also need to have configurations that enable GlobalProtect Gateway and device telemetry. 

Palo Alto’s recommendation for customers subscribed to Palo Alto’s Threat Prevention service is to enable Threat ID 95187. Alternatively, Palo Alto customers can temporarily disable device telemetry until a patch is available.

If you are not running GlobalProtect Gateway, then no action is needed.

How Bad Is This?

HIGH RISK 

This vulnerability results in remote code execution (RCE). RCE-based exploits are among the highest in criticality because an attacker can gain full access (root in this case). Although the vulnerability depends on a pair of services being enabled on the device, it is still serious enough to earn a rare 10 CVE rating. As stated above, Palo Alto is aware of a limited number of cases in which this is being exploited already. 

How Blumira Can Help

At the time of writing, there are no technical details available about the nature of the attacks or what indicators of compromise exist. When those details emerge, we’ll begin the process of creating detections and reports. We’ll also update this article as more information becomes available.

It’s nearly impossible for admins to track every vulnerability, but Blumira’s security experts perform threat hunting on your behalf and develop detections in real time to protect your environment.

Update 1: 4-12-24

Early indicators of compromise have surfaced from the team that reported the vulnerability to Palo Alto, Volexity, which can be found here and comprise IPs and hashes seen in the aforementioned recent attacks. While IPs and hashes change quite quickly as attackers modify their tactics to avoid detection we can use the IP listing to search for traffic to and from these IPs. Blumira now has two saved reports that can aid in your investigations:

• Palo Alto: Allowed Inbound Traffic From IPs Associated With CVE-2024-3400
• Palo Alto: Allowed Outbound Traffic From IPs Associated With CVE-2024-3400

Update 2: 4-15-24

Palo Alto has updated their post to indicate that the first round of hotfixes are out to address this issue. They have also announced that more commonly used “maintenance” versions will be receiving a hotfix to address this issue in the coming days. The saved reports mentioned in the prior update are still valid according to Palo Alto’s Unit 42 posting for finding potential indicators of compromise. We’ll update the search parameters to the reports as more details surface.