Published: 15 April 2024
Last update: 18 April 2024
Prepared by: Adam Skupien, Vulnerability Security Analyst
Purpose
The purpose of this alert is to bring attention to a CRITICAL, publicly released vulnerability identified as CVE-2024-3400, present in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions. Exploitation of this vulnerability may result in an unauthenticated attacker being able to execute arbitrary code with root privileges on the firewall.
On 12 April 2024, the Australian Cyber Security Centre (ACSC) released an advisory addressing this vulnerability and encouraging organisations to take action.
Palo Alto has also advised they are aware of instances where this has been exploited and recommends immediate remediation. Additionally, the Triskele Labs Cyber Threat Intelligence (CTI) team advises that several scripts designed to exploit this vulnerability are now publicly available on GitHub.
This vulnerability has been added to the Cybersecurity & Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) catalogue.
Details
On 12 April 2024, Palo Alto issued a notification describing a critical vulnerability known as CVE-2024-3400 PAN-OS: OS Command Injection Vulnerability in GlobalProtect. Threat Actors have begun exploiting this vulnerability in the wild. The vulnerability is present in the following PAN-OS versions:
- PAN-OS version 10.2 (< 10.2.9-h1)
- PAN-OS version 11.0 (< 11.0.4-h1)
- PAN-OS version 11.1 (< 11.1.2-h3)
The vulnerability has been mapped to CWE-77 by MITRE, an Improper Neutralisation of Special Elements used in a Command (Command Injection).
Mitigation Actions
Palo Alto has released hotfixes for several of the affected versions, with hotfixes for all remaining versions scheduled to be released by 19 April 2024. These should be applied as a priority to vulnerable systems as they become available.
Organisations which have a Palo Alto Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 95187 (introduced in Applications and Threats content version 8833-8682) and ensure vulnerability protection has been applied to their GlobalProtect interface.
In earlier version of their advisory, Palo Alto listed disabling device telemetry as a secondary mitigation action, however, they now advise that this is no longer an effective mitigation. It is NOT necessary for device telemetry to be enabled in order for PAN-OS firewalls to be exposed to attacks related to this vulnerability.
Detection
Managed Detection and Response (MDR) platforms can monitor an environment for suspicious activity relating to the exploitation of this vulnerability. However, as these assets are appliances, they cannot run the Security Information and Event Management (SIEM) or Endpoint Detection and Response (EDR) agent, which reduces overall visibility on the platform.
Please ensure that these devices are sending syslog to a SIEM so that malicious indicators can be identified.
The following XQLqueries can be used to search for signs of exploitation:
// Description: Search for domain IOC in raw NGFW logs
dataset = panw_ngfw_url_raw
| filter url_domain ~= ".*nhdata.s3-us-west-2.amazonaws.com"
| fields _time, log_source_name, action, app, url_domain, uri, url_category, source_ip, source_port, dest_ip, dest_port, protocol, rule_matched, rule_matched_uuid
// Description: Detect hits for the specific prevention signature for CVE-2024-3400
config case_sensitive = false
| dataset = panw_ngfw_threat_raw
| filter threat_id = "95187"
| fields _time, log_source_name, action, app_category, app_sub_category, threat_id, threat_name, source_ip, source_port, dest_ip, dest_port, *
// Description: Detect hits for the specific prevention signature for CVE-2024-3400
config case_sensitive = false
| dataset = panw_ngfw_threat_raw
| filter threat_id = "95187"
| fields _time, log_source_name, action, app_category, app_sub_category, threat_id, threat_name, source_ip, source_port, dest_ip, dest_port, *
// Description: Detect hits for the specific prevention signature for CVE-2024-3400
config case_sensitive = false
| dataset = panw_ngfw_threat_raw
| filter threat_id = "95187"
| fields _time, log_source_name, action, app_category, app_sub_category, threat_id, threat_name, source_ip, source_port, dest_ip, dest_port, *
Triskele Labs DefenceShield customers with Assess service (Vulnerability Scanning) are currently being scanned. All customers with our Monitor service (24x7x365 Managed Detection and Response) are - as always - being monitored closely for related Indicators of Compromise (IOCs) and Tactics, Techniques and Procedures (TTPs).
