TR-84 - PAN-OS (Palo Alto Networks) OS Command Injection Vulnerability in GlobalProtect Gateway - CVE-2024-3400

TR-84 - PAN-OS (Palo Alto Networks) OS Command Injection Vulnerability in GlobalProtect Gateway - CVE-2024-3400

Back to Publications and Presentations

  1. Fixes
  2. Detection
  3. Known affected software
  4. References
  5. Classification of this document
  6. Revision

You can report incidents via our official contact including e-mail, phone or use the Anonymous reporting form.

Search


CIRCL is accredited TI CIRCL is a FIRST member CIRCL is an OASIS member

A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Fixes for PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 are in development and are expected to be released by April 14, 2024. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability. All other versions of PAN-OS are also not impacted.

The vulnerability is currently exploited in the wild as mentioned by Volexity and it’s referenced as CVE-2024-3400.

Fixes

This issue is fixed in hotfix releases of PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and in all later PAN-OS versions. Hotfixes for other commonly deployed maintenance releases will also be made available to address this issue. Please see details below for ETAs regarding the upcoming hotfixes.

PAN-OS 10.2:
- 10.2.9-h1 (Released 4/14/24)
- 10.2.8-h3 (ETA: 4/15/24)
- 10.2.7-h8 (ETA: 4/15/24)
- 10.2.6-h3 (ETA: 4/15/24)
- 10.2.5-h6 (ETA: 4/16/24)
- 10.2.3-h13 (ETA: 4/17/24)
- 10.2.1-h2 (ETA: 4/17/24)
- 10.2.2-h5 (ETA: 4/18/24)
- 10.2.0-h3 (ETA: 4/18/24)
- 10.2.4-h16 (ETA: 4/19/24)

PAN-OS 11.0:
- 11.0.4-h1 (Released 4/14/24)
- 11.0.3-h10 (ETA: 4/15/24)
- 11.0.2-h4 (ETA: 4/16/24)
- 11.0.1-h4 (ETA: 4/17/24)
- 11.0.0-h3 (ETA: 4/18/24)

PAN-OS 11.1:
- 11.1.2-h3 (Released 4/14/24)
- 11.1.1-h1 (ETA: 4/16/24)
- 11.1.0-h3 (ETA: 4/17/24)

As of April 16th, the previously suggested workarounds have been confirmed ineffective. We recommend initiating an incident response procedure in all cases. There are also workarounds proposed by the vendor to fix the vulnerability before the hotfix will be released.

Detection

  • Indicators shared by Volexity are available in a MISP event with UUID 9802116c-3ec3-4a8e-8b39-5c69b08df5ab, shared in the OSINT feed and the MISP private sector community.

Known affected software

  • PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 used as GlobalProtect gateway with device telemetry enabled. (other versions are not impacted).

References

Classification of this document

TLP:CLEAR information may be distributed without restriction, subject to copyright controls.

Revision

  • Version 1.0 - TLP:CLEAR - First version - 12th April 2024
  • Version 1.1 - TLP:CLEAR - Second version - 13rd April 2024 - IoCs added
  • version 1.2 - TLP:CLEAR - Third version - 15th April 2024 - fixes added
  • Version 1.3 - TLP:CLEAR - Fourth version - 17th April 2024 - workarounds are now ineffective