CVE-2024-3400: Palo Alto Networks Command Injection Vulnerability

On Friday, April 12th, Palo Alto Networks published an advisory on CVE-2024-3400, a CVSS 10 zero-day vulnerability in several versions of PAN-OS, the operating system that runs the company's firewalls. This vulnerability is currently unpatched, with fixes expected to be available by Sunday, April 14th, 2024.

CVE-2024-3400 Details

Severity: Critical with a 10/10 CVSS ⚠️

Exploitation Status: Exploited in the wild with a "limited number of attacks", according to Palo Alto Networks' advisory

CVE ID: CVE-2024-3400

Impact

According to the vendor advisory, if you're a Palo Alto Networks customer using PAN-OS 10.2, PAN-OS 11.0, and/or PAN-OS 11.1 with GlobalProtect gateway and device telemetry enabled, the vulnerability could allow an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. 

Affected Products

Version Affected Unaffected
Cloud Next-Gen Firewall None All
PAN-OS 11.1 < 11.1.2-h3 >= 11.1.2-h3 (ETA: By 4/14)
PAN-OS 11.0  < 11.0.4-h1 >= 11.0.4-h1 (ETA: By 4/14)
PAN-OS 10.2 < 10.2.9-h1 >= 10.2.9-h1 (ETA: By 4/14)
PAN-OS 10.1 None All
PAN-OS 10.0 None All
PAN-OS 9.1 None All
PAN-OS 9.0 None All
Prisma Access None All

Recommendations for CVE-2024-3400

Fixes for PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 are in development and are expected to be released by April 14, 2024. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability. All other versions of PAN-OS are also not impacted.

This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls with the configurations for both GlobalProtect gateway and device telemetry enabled. 

You can verify whether you have a GlobalProtect gateway configured by checking for entries in your firewall web interface (Network > GlobalProtect > Gateways) and verify whether you have device telemetry enabled by checking your firewall web interface (Device > Setup > Telemetry).

References

  1. Palo Alto Networks Advisory
  2. How to Disable Device Telemetry in Palo Alto Network Devices

What is Digital Hands Doing?

For managed customers, Digital Hands is identifying devices with a vulnerable configuration. 

If a vulnerable configuration is found, we will download Applications and Threats content version 8833-8682, which contains Threat ID 95187 to block the attacks.  

This vulnerability will be addressed in the hotfix releases (ETA: By 4/14) and in all later PAN-OS versions:

  • PAN-OS 10.2.9-h1
  • PAN-OS 11.0.4-h1
  • PAN-OS 11.1.2-h3  
Once the hotfixes have been released, we will work with customers to schedule upgrades. 

If you are not a Digital Hands managed customer, follow the instructions in the Palo Alto link ➡️ https://security.paloaltonetworks.com/CVE-2024-3400