CVE-2024-3400: 
PAN-OS vulnerability analysis and mitigation

A critical command injection vulnerability (CVE-2024-3400) was discovered in the GlobalProtect feature of Palo Alto Networks PAN-OS software. The vulnerability enables an unauthenticated attacker to execute arbitrary code with root privileges on affected firewalls. This issue specifically affects PAN-OS versions 10.2, 11.0, and 11.1 configured with GlobalProtect gateway or GlobalProtect portal. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted. The vulnerability was initially discovered by Volexity on April 10, 2024, when they identified active exploitation in the wild (Volexity Blog, Palo Alto Advisory).

The vulnerability stems from a combination of two bugs in PAN-OS: first, the GlobalProtect service insufficiently validates session ID formats before storing them, allowing attackers to store empty files with chosen filenames; second, these filenames are then used as part of a command, trusting they were system-generated. The vulnerability has been assigned a CVSS score of 10.0 (Critical). Successful exploitation can be achieved through a two-stage attack process where the attacker first sends a crafted shell command instead of a valid session ID to create an empty file, followed by a scheduled system job that executes the attacker-supplied command with elevated privileges (Palo Alto Blog).

The successful exploitation of this vulnerability allows attackers to execute arbitrary code with root privileges on affected firewalls. Observed impacts include the exfiltration of configuration data, deployment of backdoors, and use of the compromised firewall as a pivot point for lateral movement within victim networks. In some cases, attackers have been able to steal domain credentials, browser data, and other sensitive information (Unit42 Brief).

Palo Alto Networks has released fixes in PAN-OS versions 10.2.9-h1, 11.0.4-h1, 11.1.2-h3, and all later versions. Customers with a Threat Prevention subscription can block attacks using Threat IDs 95187, 95189, and 95191 (available in Applications and Threats content version 8836-8695 and later). Organizations must ensure that vulnerability protection is properly applied to their GlobalProtect interface. An enhanced factory reset procedure is available through Customer Support for devices potentially compromised before April 25, 2024 (Palo Alto Advisory).

The vulnerability has garnered significant attention from the cybersecurity community due to its critical nature and active exploitation. CISA has added CVE-2024-3400 to its Known Exploited Vulnerabilities Catalog, requiring federal agencies to apply vendor mitigations. The security community has praised Palo Alto Networks for their rapid response, releasing initial mitigations within 24 hours of vulnerability confirmation (CISA Alert).