Action may be required: Utilities using impacted PAN-OS firewalls, versions 10.2, 11.0, and 11.1 configured with GlobalProtect gateway or GlobalProtect portal (or both) and device telemetry enabled, are highly encouraged to review and address accordingly.
Over the weekend, Palo Alto Networks released workaround guidance for a command injection vulnerability (CVE-2024-3400) which affects PAN-OS versions 10.2, 11.0, and 11.1. Palo Alto Networks has reported active exploitation of this vulnerability in the wild. WaterISAC is sharing this for member awareness.
On Sunday, Palo Alto Networks started issuing hotfixes for the impacted PAN-OS versions. WaterISAC encourages users and administrators to review the Palo Alto Networks Security Advisory, apply current mitigations, and update affected software as Palo Alto Networks continues to make the fixes available.
Description of the vulnerability from Palo Alto Networks: “A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.”
“This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal (or both) and device telemetry enabled. You can verify whether you have a GlobalProtect gateway or GlobalProtect portal configured by checking for entries in your firewall web interface (Network > GlobalProtect > Gateways or Network > GlobalProtect > Portals) and verify whether you have device telemetry enabled by checking your firewall web interface (Device > Setup > Telemetry).”
Additional Resources:
- Palo Alto Networks Releases Guidance for Vulnerability in PAN-OS, CVE-2024-3400 | CISA
- Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400) | Volexity
- Palo Alto Networks releases fixes for zero-day as attackers swarm VPN vulnerability | The Record
- Quick Palo Alto Networks Global Protect Vulnerability Update (CVE-2024-3400) | SANS Internet Storm Center
- Palo Alto Networks Releases Fixes for Firewall Zero-Day as Attribution Attempts Emerge | Security Week
- State-Sponsored Hackers Exploit Zero-Day to Backdoor Palo Alto Networks Firewalls | Security Week
- Palo Alto Networks zero-day exploited since March to backdoor firewalls | Bleeping Computer
- Threat Brief: Operation MidnightEclipse, Post-Exploitation Activity Related to CVE-2024-3400 | Unit 42
