On Friday, April 12th, Palo Alto Networks published an advisory on CVE-2024-3400, a CVSS 10 zero-day vulnerability in several versions of PAN-OS, the operating system that runs the company's firewalls. This vulnerability is currently unpatched, with fixes expected to be available by Sunday, April 14th, 2024.
CVE-2024-3400 details
Severity: Critical with a 10/10 CVSS ⚠️
Exploitation Status: Exploited in the wild with a "limited number of attacks", according to Palo Alto Networks' advisory
CVE ID: CVE-2024-3400
Impact
According to the vendor advisory, if you're a Palo Alto Networks customer using PAN-OS 10.2, PAN-OS 11.0, and/or PAN-OS 11.1 with GlobalProtect gateway and device telemetry enabled, the vulnerability could allow an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.
Affected products
| Version |
Affected |
Unaffected |
| Cloud Next-Gen Firewall |
None |
All |
| PAN-OS 11.1 |
< 11.1.2-h3 |
>= 11.1.2-h3 (ETA: By 4/14) |
| PAN-OS 11.0 |
< 11.0.4-h1 |
>= 11.0.4-h1 (ETA: By 4/14) |
| PAN-OS 10.2 |
< 10.2.9-h1 |
>= 10.2.9-h1 (ETA: By 4/14) |
| PAN-OS 10.1 |
None |
All |
| PAN-OS 10.0 |
None |
All |
| PAN-OS 9.1 |
None |
All |
| PAN-OS 9.0 |
None |
All |
| Prisma Access |
None |
All |
Recommendations for CVE-2024-3400
Fixes for PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 are in development and are expected to be released by April 14, 2024. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability. All other versions of PAN-OS are also not impacted.
This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls with the configurations for both GlobalProtect gateway and device telemetry enabled.
You can verify whether you have a GlobalProtect gateway configured by checking for entries in your firewall web interface (Network > GlobalProtect > Gateways) and verify whether you have device telemetry enabled by checking your firewall web interface (Device > Setup > Telemetry).
References
- Palo Alto Networks Advisory
- How to Disable Device Telemetry in Palo Alto Network Devices
What is Digital Hands doing?
For managed customers, Digital Hands is identifying devices with a vulnerable configuration.
If a vulnerable configuration is found, we will download Applications and Threats content version 8833-8682, which contains Threat ID 95187 to block the attacks.
This vulnerability will be addressed in the hotfix releases (ETA: By 4/14) and in all later PAN-OS versions:
- PAN-OS 10.2.9-h1
- PAN-OS 11.0.4-h1
- PAN-OS 11.1.2-h3
Once the hotfixes have been released, we will work with customers to schedule upgrades.
If you are not a Digital Hands managed customer, follow the instructions in the Palo Alto link ➡️ https://security.paloaltonetworks.com/CVE-2024-3400
