CVE-2024-3400: Critical Command Injection Vulnerability in Palo Alto Networks Firewalls

Last updated at Mon, 22 Apr 2024 14:24:26 GMT

On Friday, April 12, Palo Alto Networks published an advisory on CVE-2024-3400, a CVSS 10 zero-day vulnerability in several versions of PAN-OS, the operating system that runs on the company’s firewalls. According to the vendor advisory, if conditions for exploitability are met, the vulnerability may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Patches are available for some versions as of Sunday, April 14, 2024.

Note: Initially, Palo Alto Networks's advisory indicated that customers were only vulnerable if they were using PAN-OS 10.2, PAN-OS 11.0, and/or PAN-OS 11.1 firewalls with the configurations for both GlobalProtect gateway (or GlobalProtect portal) and device telemetry enabled. As of Tuesday, April 16, the advisory has been updated to say, "Device telemetry does not need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability."

Palo Alto Networks’ advisory indicates that CVE-2024-3400 has been exploited in the wild in “a limited number of attacks.” The company has given the vulnerability their highest urgency rating. Palo Alto Networks has released an in-depth blog on the scope of the attack, indicators of compromise, and adversary behavior observations. We highly recommend reviewing it. Security firm Volexity, who discovered the zero-day vulnerability, also has a blog available here with extensive analysis, indicators of compromise, and observed attacker behavior.

Mitigation guidance

CVE-2024-3400 was unpatched at time of disclosure, but patches are available for some versions of PAN-OS as of Sunday, April 14. CVE-2024-3400 affects the following versions of PAN-OS when GlobalProtect (gateway or portal) is enabled:

• PAN-OS 11.1 (before 11.1.2-h3)
• PAN-OS 11.0 (before 11.0.4-h1)
• PAN-OS 10.2 (before 10.2.7-h8, before 10.2.8-h3, before 10.2.9-h1)
• Additional versions have been added to the advisory since initial publication

The vendor has updated their advisory as of April 16 to note that device telemetry does not need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability. Palo Alto Networks’ Cloud NGFW and Prisma Access solutions are not affected; nor are earlier versions of PAN-OS (10.1, 10.0, 9.1, and 9.0).

Important: Palo Alto Networks has been continually updating their advisory, which now has an extensive list of affected versions and when fixes are expected. For additional information and the latest remediation guidance, please refer to the vendor advisory as the source of truth.

Patches for the CVE-2024-3400 were released on Sunday, April 14. Rapid7 recommends applying the vendor-provided patch immediately, without waiting for a typical patch cycle to occur. If you are unable to patch, apply one of the below vendor-provided mitigations:

• Customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 95187 (introduced in Applications and Threats content version 8833-8682). In addition to enabling Threat ID 95187, customers should ensure vulnerability protection has been applied to their GlobalProtect interface to prevent exploitation of this issue on their device. More information here.
• Note: While disabling device telemetry was initially mentioned as a temporary workaround, Palo Alto Networks has said as of April 16 that disabling device telemetry is no longer an effective mitigation.

We also recommend reviewing indicators of compromise in Palo Alto Networks's blog and Volexity's blog.

Rapid7 customers

Authenticated vulnerability checks are available to InsightVM and Nexpose customers as of the Friday, April 12 content release. Since the vendor added more vulnerable versions to their advisory after it was originally published, our engineering team has updated our vulnerability checks as of the Wednesday, April 17 content release to be able to detect additional vulnerable versions of PAN-OS.

Per the vendor advisory, organizations that are running vulnerable firewalls and are concerned about potential exploitation in their environments can open a support case with Palo Alto Networks to determine if their device logs match known indicators of compromise (IoCs) for this vulnerability.

InsightIDR and Managed Detection and Response customers have existing detection coverage through Rapid7's expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into suspicious processes and proper detection coverage. Below is a non-exhaustive list of detections that are deployed and will alert on post-exploitation behavior related to this zero-day vulnerability:

• Attacker Technique - NTDS File Access
• Attacker Technique: Renamed AnyDesk Binary in Non-Standard Location
• Attacker Technique: Renamed EWSProxy in Non-Standard Location
• Attacker Technique: Renamed AvastBrowserUpdate in Non-Standard Location
• Attacker Tool - Unknown Raw File Copy Utility For Credential Dumping
• Credential Access - Copying Credential Files with Esenutil
• Suspicious Process: A Single Character Executable in Root Intel Directory
• Suspicious Process - Avast Executable NOT in Program Files directory

Updates

Friday, April 12, 2024: Updated with link to Volexity blog on exploitation in the wild and indicators of compromise and Palo Alto Networks blog on the incident. Updated to note availability of VM content.

Monday, April 15, 2024: Updated to note that patches were available Sunday, April 14. Updated to note that GlobalProtect portal is also a vulnerable configuration (in addition to GlobalProtect gateway).

Tuesday, April 16, 2024: Added more vulnerable versions of the PAN-OS 10.2.x version stream per the updated vendor advisory. Patches are available for some versions, but not all, as of April 16. The advisory has ETAs on in-flight fixes. Rapid7 vulnerability checks will be updated on April 17 to detect newly listed vulnerable versions of PAN-OS.

Tuesday, April 16, 2024: Updated to note that disabling device telemetry is no longer considered an effective mitigation; Palo Alto Networks has now indicated that "device telemetry does not need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability."

Wednesday, April 17, 2024: For InsightVM and Nexpose customers, vulnerability checks have been updated to detect additional vulnerable versions of PAN-OS. See the vendor advisory for the latest information.

Monday, April 22, 2024: Added list of (non-exhaustive) detection rules alerting for InsightIDR and Rapid7 MDR customers.