Network security vendor Palo Alto Networks released mitigation instructions for an actively exploited vulnerability in PAN-OS, the software that powers its next-generation firewall (NGFW) products. The company is still working on developing software patches.
The vulnerability, tracked as CVE-2024-3400, is described as a command injection issue and is located in the GlobalProtect feature of PAN-OS. Successful exploitation allows unauthenticated attackers to execute arbitrary code with root privileges on the system.
The flaw is rated with the maximum score of 10 in the Common Vulnerability Scoring System (CVSS) but affects only some versions of PAN-OS with specific feature configurations.
“This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls with the configurations for both GlobalProtect gateway and device telemetry enabled,” the company said in its advisory.
Customers can check if they have the GlobalProtect gateway configured under the Network > GlobalProtect > Gateways menu in the firewall’s web interface. The telemetry feature can be checked under Device > Setup > Telemetry.
Mitigating Palo Alto Networks Pan-OS
The company plans to release software hotfixes for PAN-OS 10.2, PAN-OS 11.0 and PAN-OS 11.1 to address the flaw on April 14. These patches will be numbered 10.2.9-h1, 11.0.4-h1 and 11.1.2-h3. Older PAN-OS releases are not impacted and neither are the Cloud NGFW or Prisma Access and Panorama appliances.
In the meantime, Palo Alto Networks advises customers to enable Threat ID 95187 if they have a Threat Prevention subscription which will block attacks exploiting this vulnerability. In order for this to be effective they also need to apply a vulnerability protection security profile to their GlobalProtect interface which requires specific configuration changes. Instructions to achieve this are provided in a new knowledge base article.
Customers who don’t have a Threat Prevention subscription can temporarily disable the device telemetry feature until patches become available and are applied.
“Limited” active exploitation of vulnerability in PAN-OS
Palo Alto Networks said it is aware of a “limited number of attacks” that are exploiting this flaw. The Australian Cyber Security Centre (ACSC) and the US Cybersecurity and Infrastructure Security Agency (CISA) have released advisories confirming active exploitation. CISA also added the flaw to its Known Exploited Vulnerabilities Catalog.
Over the past two years there has been a spike in the number of attacks from state-sponsored cyberespionage groups targeting enterprise network security devices — firewalls devices, VPN balancers, email gateways and so on — often through zero-day vulnerabilities like in this case. These devices are attractive targets because they sit at the network perimeter and once compromised they can serve as jump points into internal networks.