PaloAlto PAN-OS Critical Command Injection vulnerability -CVE-2024-3400

Security researchers have unearthed a critical flaw in Palo Alto Networks’ PAN-OS, specifically targeting the GlobalProtect feature. The vulnerability is designated as CVE-2024-3400, with a CVSS score of 10 potentially allowing malicious actors to execute arbitrary code with root privileges on vulnerable firewalls.

The vulnerability manifests in PAN-OS versions 10.2, 11.0, and 11.1, particularly impacting configurations where both GlobalProtect gateway and device telemetry are enabled. This specific combination creates a gateway for exploitation, opening the door to unauthorized access and potential compromise of critical systems.

It’s important to note that certain PAN-OS deployments remain unaffected by this vulnerability. Cloud NGFW, Panorama appliances, and Prisma Access have been confirmed as not impacted, providing reassurance to users of these systems.

GlobalProtect Gateway: Inspect configurations via the firewall web interface under Network > GlobalProtect > Gateways.
Device Telemetry: Verify the status of device telemetry by accessing the firewall web interface under Device > Setup > Telemetry.

In response to this critical issue, Palo Alto Networks is working on fixes for affected PAN-OS versions. These fixes are anticipated to be released promptly, with scheduled availability by April 14, 2024. However, proactive measures are essential to mitigate risk until patches are applied.

Customers equipped with a Threat Prevention subscription possess the capability to thwart attacks associated with this vulnerability. By enabling Threat ID 95187, users can effectively mitigate the risk posed by potential exploits.

It is imperative for customers to ensure the application of vulnerability protection to their GlobalProtect interface. This additional layer of defense serves to fortify systems against exploitation attempts, bolstering overall security posture.

As a temporary measure,where immediate implementation of threat Prevention-based mitigation is unfeasible, alternative measures can still be employed to mitigate vulnerability impact. One such approach involves temporarily disabling device telemetry until the affected device can be upgraded to a patched version of PAN-OS. Once the upgrade is completed, device telemetry functionality should be promptly re-enabled to ensure comprehensive system monitoring and security.