CVE-2024-3400: PAN GlobalProtect Vulnerability Customer Warning

Published April 12, 2024 | Updated April 16, 2024

UPDATE: As of 2:00 PM PDT PAN has announced that customers may be vulnerable even if telemetry is disabled. We strongly recommend that customers install threat updates and patch immediately as we have observed active exploitation of this issue.

Summary

On April 11, 2024, Palo Alto Networks (PAN) released a security advisory warning customers of a critical vulnerability affecting certain PAN-OS versions configured as GlobalProtect Portals or Gateways. The vulnerability, tracked as CVE-2024-3400, allows an unauthenticated attacker to execute arbitrary code on the affected device.

Although PAN has released patches for the affected PAN-OS versions, we recommend that customers practice defense-in-depth by following the mitigation steps outlined in this article.

Palo Alto Networks Unit 42 has published additional information on the exploitation of the vulnerability in the wild. You can read their blog post here:

Threat Brief: Operation MidnightEclipse, Post-Exploitation Activity Related to CVE-2024-3400.

The organization that discovered the vulnerability being exploited in the wild, Volexity, has also published a blog post on their findings:

Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400)

Remediation Flow Chart

The following flow chart provides a high-level overview of the vulnerability and the recommended mitigation steps:

PAN GlobalProtect Vulnerability Flow Chart

Affected PAN-OS Versions

PAN-OS Train Affected Versions
11.1 < 11.1.2-h3
11.0 < 11.0.4-h1
10.2 < 10.2.9-h1

Mitigation Steps

Upgrade to a Patched Version

Here are all the versions that have been patched by PAN:

PAN-OS 10.2:

  • 10.2.9-h1 (Released 4/14/24)
  • 10.2.8-h3 (Released 4/15/24)
  • 10.2.7-h8 (Released 4/15/24)
  • 10.2.6-h3 (ETA: 4/16/24)
  • 10.2.5-h6 (ETA: 4/16/24)
  • 10.2.3-h13 (ETA: 4/17/24)
  • 10.2.1-h2 (ETA: 4/17/24)
  • 10.2.2-h5 (ETA: 4/18/24)
  • 10.2.0-h3 (ETA: 4/18/24)
  • 10.2.4-h16 (ETA: 4/19/24)

PAN-OS 11.0:

  • 11.0.4-h1 (Released 4/14/24)
  • 11.0.3-h10 (ETA: 4/16/24)
  • 11.0.2-h4 (Released 4/16/24)
  • 11.0.1-h4 (ETA: 4/17/24)
  • 11.0.0-h3 (ETA: 4/18/24)

PAN-OS 11.1:

  • 11.1.2-h3 (Released 4/14/24)
  • 11.1.1-h1 (ETA: 4/16/24)
  • 11.1.0-h3 (ETA: 4/17/24)

Install Latest Content Updates

PAN has released content update 8833-8682 that includes a signature to detect and block attempts to exploit the vulnerability. We recommend that all customers install this content update as soon as possible.

To determine if a firewall has received the content update, go to Dashboard > General Information and check the Threat version to make sure it is at least 8833-8682.

Making Sure the Content Update is Effective

The content update does not patch the vulnerability, but provides a signature to detect and block exploitation attempts. In order for this signature to be effective, the firewall must have a security policy that allows traffic to the GlobalProtect Portal or Gateway with correctly configured security profiles. We recommend that customers review the relevant security polices and their security profiles to ensure that the firewall is configured to block any attempts to exploit the vulnerability.

For many customers the interzone-default security policy will allow traffic to the GlobalProtect Portal or Gateway as the traffic is typically “outside to outside” traffic. If you are not sure which security policy is used for GlobalProtect traffic, review your logs to determine the policy that is being hit.