Palo Alto, a leading American cybersecurity firm, has flagged a critical vulnerability in its PAN-OS ‘GlobalProtect’ feature. This flaw allows remote code execution (RCE) with root privileges targeting the command-injection vulnerability (CVE-2024-3400).
The company released an advisory disclosing that certain specific PAN-OS configurations could enable an unauthorized attacker the ability to execute remote arbitrary code with root privileges. Palo Alto has urged its customers to implement temporary fixes to mitigate the flaw.
Palo Alto Acknowledges Exploitation of PAN-OS Vulnerability
The advisory states that versions PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 of Palo Alto’s are vulnerable to exploitation and that the issue would be fixed in hotfix releases ‘PAN-OS 10.2.9-h1 (, PAN-OS 11.0.4-h1, and PAN-OS 11.1.2-h3’ that would be subsequently released on 14th April.
CVE-2024-3400 is an ‘Improper Neutralization of Special Elements used in a Command’ form of vulnerability according to the MITRE framework with a CVSS score of 4.0 and a Base Score of 10 in Severity.
Only firewalls that have both the GlobalProtect gateway and device telemetry enabled can be exploited through this flaw. Users can access their GlobalProtect gateway configurations by checking their firewall web interface (Network > GlobalProtect > Gateways) and verifying if they have device telemetry enabled by checking your firewall web interface (Device > Setup > Telemetry).
Palo Alto Recommends Temporary Workarounds for Mitigation
Palo Alto has advised users on temporary workarounds and mitigations to deal with existence of the flaw (CVE-2024-3400). Palo Alto customers with a Threat Prevention subscription were instructed to combat this vulnerability by enabling Threat ID 95187 (introduced in Applications and Threats content version 8833-8682). To protect against potential exploitation on their device, customers can verify that vulnerability protection has been implemented on their GlobalProtect interface.
Further, users and administrators could mitigate the impact of the vulnerability by temporarily disabling device telemetry until the device has been updated to a patched version of PAN-OS.
The advisory comes two days after another high-severity vulnerability (CVE-2024-3385) affecting the PA-5400 and PA-7000 Series firewalls were discovered in PAN-OS. The Firewall Denial of Service (DoS) allowed remote attackers to potentially reboot hardware-based firewalls to induce a denial of service (DoS) attack or force the firewall to enter maintenance mode.
However unlike the more recent flaw, Palo Alto did not observe this vulnerability being actively exploited but encountered by two customers in normal production usage. These vulnerabilities are the latest in a series of Firewall related vulnerabilities that have been reported recently with several prominent companies reporting vulnerabilities in their Firewall offerings.
These victims include Fortinet, SonicWall and Junpier and exposed hundreds of devices relying on them for security to various forms of attacks. These incidents demonstrate issues with the steady patching of vulnerable systems as well as the attacks they may be exposed to such as the exploit of Fortinet devices by Chinese-linked threat actors which drew attention from CISA.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
