CVE-2024-3400: PAN GlobalProtect Vulnerability Customer Warning
Published April 12, 2024 | Updated April 16, 2024UPDATE: As of 2:00 PM PDT PAN has announced that customers may be vulnerable even if telemetry is disabled. We strongly recommend that customers install threat updates and patch immediately as we have observed active exploitation of this issue.
Summary
On April 11, 2024, Palo Alto Networks (PAN) released a security advisory warning customers of a critical vulnerability affecting certain PAN-OS versions configured as GlobalProtect Portals or Gateways. The vulnerability, tracked as CVE-2024-3400, allows an unauthenticated attacker to execute arbitrary code on the affected device.
Although PAN has released patches for the affected PAN-OS versions, we recommend that customers practice defense-in-depth by following the mitigation steps outlined in this article.
Palo Alto Networks Unit 42 has published additional information on the exploitation of the vulnerability in the wild. You can read their blog post here:
Threat Brief: Operation MidnightEclipse, Post-Exploitation Activity Related to CVE-2024-3400.
The organization that discovered the vulnerability being exploited in the wild, Volexity, has also published a blog post on their findings:
Remediation Flow Chart
The following flow chart provides a high-level overview of the vulnerability and the recommended mitigation steps:
Affected PAN-OS Versions
PAN-OS Train | Affected Versions |
---|---|
11.1 | < 11.1.2-h3 |
11.0 | < 11.0.4-h1 |
10.2 | < 10.2.9-h1 |
Mitigation Steps
Upgrade to a Patched Version
Here are all the versions that have been patched by PAN:
PAN-OS 10.2:
- 10.2.9-h1 (Released 4/14/24)
- 10.2.8-h3 (Released 4/15/24)
- 10.2.7-h8 (Released 4/15/24)
- 10.2.6-h3 (ETA: 4/16/24)
- 10.2.5-h6 (ETA: 4/16/24)
- 10.2.3-h13 (ETA: 4/17/24)
- 10.2.1-h2 (ETA: 4/17/24)
- 10.2.2-h5 (ETA: 4/18/24)
- 10.2.0-h3 (ETA: 4/18/24)
- 10.2.4-h16 (ETA: 4/19/24)
PAN-OS 11.0:
- 11.0.4-h1 (Released 4/14/24)
- 11.0.3-h10 (ETA: 4/16/24)
- 11.0.2-h4 (Released 4/16/24)
- 11.0.1-h4 (ETA: 4/17/24)
- 11.0.0-h3 (ETA: 4/18/24)
PAN-OS 11.1:
- 11.1.2-h3 (Released 4/14/24)
- 11.1.1-h1 (ETA: 4/16/24)
- 11.1.0-h3 (ETA: 4/17/24)
Install Latest Content Updates
PAN has released content update 8833-8682 that includes a signature to detect and block attempts to exploit the vulnerability. We recommend that all customers install this content update as soon as possible.
To determine if a firewall has received the content update, go to Dashboard > General Information
and check the Threat
version to make sure it is at least 8833-8682
.
Making Sure the Content Update is Effective
The content update does not patch the vulnerability, but provides a signature to detect and block exploitation attempts. In order for this signature to be effective, the firewall must have a security policy that allows traffic to the GlobalProtect Portal or Gateway with correctly configured security profiles. We recommend that customers review the relevant security polices and their security profiles to ensure that the firewall is configured to block any attempts to exploit the vulnerability.
For many customers the interzone-default
security policy will allow traffic to the GlobalProtect Portal or Gateway as the traffic is typically “outside to outside” traffic. If you are not sure which security policy is used for GlobalProtect traffic, review your logs to determine the policy that is being hit.