External risk intelligence

Palo Alto Networks PAN-OS GlobalProtect Command Injection Vulnerability.

CVE advisoryKnown Exploit

CVE-2024-3400

A command injection flaw in the GlobalProtect feature of Palo Alto Networks PAN-OS allows unauthenticated attackers to execute arbitrary code with root privileges on firewalls. This poses a business risk of unauthorized system control and data compromise. Affected organizations should identify and remediate vulnerable

5Halo Surface Signal

Command Injection

Paloaltonetworks Pan Os

10.2.010.2.110.2.210.2.310.2.410.2.510.2.610.2.710.2.810.2.911.0.011.0.111.0.211.0.311.0.411.1.011.1.1

External exposure likelihood

Halo Surface Signal score for CVE-2024-3400

The vulnerability exists in the GlobalProtect feature of PAN-OS, which is a VPN and remote access service designed to be internet-facing for employee connectivity. As a gateway component deployed at the network edge to provide remote access, it is intentionally exposed to the public internet by design.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

The GlobalProtect feature within Palo Alto Networks PAN-OS is susceptible to a command injection flaw. This weakness allows an unauthorized external attacker to execute arbitrary code with the highest level of system privileges on the affected firewall. The impact can include unauthorized system control, data compromise, and disruption of network services.

  • GlobalProtect feature in PAN-OS
  • Arbitrary file creation leading to command injection
  • Unauthorized system access and control

Attack Path

How an attacker could exploit the issue

This vulnerability allows an unauthenticated attacker to create arbitrary files on a targeted firewall. This file creation can then be leveraged to inject and execute commands with root privileges on the affected system. The outcome of this attack could be unauthorized code execution and system compromise.

  • Exposure: A firewall with the GlobalProtect feature enabled.
  • Attacker access: An unauthenticated remote attacker.
  • Trigger and result: Arbitrary file creation leading to command execution.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability presents a critical risk to organizations utilizing specific versions of Palo Alto Networks PAN-OS software with the GlobalProtect feature. The threat actor could exploit this to execute arbitrary code with root privileges on the firewall, leading to a significant compromise of systems and data. Organizations should prioritize addressing this vulnerability due to its severity and potential for widespread impact.

  • Attacker skill: Low
  • Access needed: Network access
  • Business risk: Critical

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

A critical command injection vulnerability in Palo Alto Networks PAN-OS, specifically within the GlobalProtect feature, could allow an unauthenticated attacker to gain root privileges on firewalls. This could lead to the execution of arbitrary code, posing a significant risk to affected organizations. The vulnerability impacts certain PAN-OS versions and configurations, but not Cloud NGFW, Panorama appliances, or Prisma Access.

  • Identify all PAN-OS assets with GlobalProtect enabled.
  • Apply vendor-provided mitigations and fixes.
  • Verify remediation and monitor for related activity.

Frequently asked questions

What is Palo Alto Networks PAN-OS GlobalProtect?

GlobalProtect is a feature of Palo Alto Networks' PAN-OS software that enables remote users to securely access local and internet resources. It functions as a VPN and remote access solution, extending security policies to users regardless of their location.

What is the weakness in CVE-2024-3400?

CVE-2024-3400 is a command injection vulnerability. This type of weakness occurs when an application improperly handles user input, allowing an attacker to inject malicious commands that are then executed with the application's privileges. In this case, it can lead to arbitrary code execution with root privileges on the firewall.

How can an attacker exploit CVE-2024-3400?

An unauthenticated attacker can exploit this vulnerability by creating arbitrary files on the targeted firewall. This file creation can then be used to inject and execute commands, leading to unauthorized code execution and potential system compromise. The vulnerability requires specific PAN-OS versions and configurations, with the GlobalProtect gateway or portal enabled.

Who is at risk from CVE-2024-3400?

Organizations using specific versions of Palo Alto Networks PAN-OS software with the GlobalProtect feature enabled are at risk. This vulnerability is classified as external because the GlobalProtect feature is designed to be internet-facing, making it accessible to remote attackers.

What should be done about CVE-2024-3400?

The immediate priority is to apply vendor-provided patches or mitigations as soon as possible. Organizations should identify all PAN-OS assets with GlobalProtect enabled, apply the necessary updates, and then verify that the remediation has been successful. Monitoring for any suspicious activity is also recommended.

References

Cyber Threat Intelligence (CTI)

Sources: malpedia, threatActor

Sources and related resources

Primary sources: NVD, CVE.org, CISA KEV.

NVDPublished Modified