CVE-2024-3400: Palo Alto Networks PAN-OS Zero-Day Under Active Exploitation

Palo Alto Networks released a security bulletin detailing a new critical command injection vulnerability in their PAN-OS software, tracked as CVE-2024-3400 which carries a maximum CVSS score of 10.0.

According to the advisory, this vulnerability has been under active exploitation. Successful exploitation of this flaw allows for a threat actor to execute arbitrary code with root privileges on the device.

Which Versions are Affected?

The vulnerability only affects certain versions of PAN-OS when both GlobalProtect gateway and device telemetry are enabled. Affected versions are:

• PAN-OS 10.2.9-h1 and prior
• PAN-OS 11.0.4-h1 and prior
• PAN-OS 11.1.2-h3 and prior

Per the Palo Alto advisory, administrators can verify if the GlobalProtect gateway is configured by checking in the firewall web interface (Network > GlobalProtect > Gateways).

Device telemetry features can also be verified in the web interface (Device > Setup > Telemetry).

How to Protect Your Organization

Per the Palo Alto advisory, a patch for this vulnerability will be available by Sunday 4/14/24. Administrators are urged to apply this patch as soon as it becomes available.

There are several mitigation steps that can be taken in the interim. Palo Alto customers with the Threat Prevention subscription enabled can block attacks for the vulnerability by enabling Threat ID 95187.

Additionally, those customers must ensure vulnerability protection has been applied to their GlobalProtect interface to prevent exploitation on their device. Additional information for this can be found here.

For customers that do not have the Threat Prevention subscription, administrators can temporarily disable device telemetry until the device gets the appropriate patch. Details for how to disable device telemetry can be found here.

• https://security.paloaltonetworks.com/CVE-2024-3400 
• https://www.cvedetails.com/cve/CVE-2024-3400/ 
• https://www.cisa.gov/news-events/alerts/2024/04/12/cisa-adds-one-known-exploited-vulnerability-catalog 
• https://www.bleepingcomputer.com/news/security/palo-alto-networks-warns-of-pan-os-firewall-zero-day-used-in-attacks/ 

DISCLAIMER

Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.