DIVD-2024-00013 - Palo Alto PAN-OS Command Injection Vulnerability in GlobalProtect

Our reference	DIVD-2024-00013
Case lead	Stan Plasmeijer
Researcher(s)	Stan Plasmeijer Ralph Horn Wessel van der Goot
CVE(s)	CVE-2024-3400
Products	PAN-OS GlobalProtect
Versions	PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal (or both).
Recommendation	Upgrade to a PAN-OS version where the issue is fixed. The issue is fixed in PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and in all later PAN-OS versions.
Patch status	Released
Status	Closed
Last modified	07 Aug 2024 13:54 CEST

Summary

A command injection vulnerability has been discovered in the GlobalProtect of PAN-OS, allowing unauthenticated malicious actors to exploit it to execute arbitrary commands on the system with root privileges. PAN-OS is the operating system of Palo Alto Firewalls.

Palo Alto Networks is aware of attacks exploiting this vulnerability.

Recommendations

Palo Alto Networks recommends to upgrade to a version where the issue is fixed. Palo Alto has released the following versions:

PAN-OS 10.2:

10.2.9-h1 (Released 14 Apr 2024)
10.2.8-h3 (Released 15 Apr 2024)
10.2.7-h8 (Released 15 Apr 2024)
10.2.6-h3 (Released 16 Apr 2024)
10.2.5-h6 (Released 16 Apr 2024)
10.2.3-h13 (Released 18 Apr 2024)
10.2.1-h2 (Released 18 Apr 2024)
10.2.2-h5 (Released 18 Apr 2024)
10.2.0-h3 (Released 18 Apr 2024)
10.2.4-h16 (Released 18 Apr 2024)

PAN-OS 11.0:

11.0.4-h1 (Released 14 Apr 2024)
11.0.4-h2 (Released 17 Apr 2024)
11.0.3-h10 (Released 16 Apr 2024)
11.0.2-h4 (Released 16 Apr 2024)
11.0.1-h4 (Released 18 Apr 2024)
11.0.0-h3 (Released 18 Apr 2024)

PAN-OS 11.1:

11.1.2-h3 (Released 14 Apr 2024)
11.1.1-h1 (Released 16 Apr 2024)
11.1.0-h3 (Released 16 Apr 2024)

Mitigation

When upgrading is not suitable and you have a Threat Prevention subscription with Palo Alto, you can block attacks using Threat IDs 95187, 95189, and 95191 (available in Applications and Threats content version 8836-8695 and later).

What we are doing

DIVD is currently identifying vulnerable instances and notifying the owners of these systems.

Timeline

Date	Description
12 Apr 2024	DIVD starts researching this vulnerability.
13 Apr 2024	DIVD found a way to fingerprint vulnerable devices
13 Apr 2024	DIVD starts scanning the internet for vulnerable instances
14 Apr 2024	Palo Alto Networks released new firmware to fix the issue
17 Apr 2024	DIVD scanned a second time for finding vulnerable instances, which didn’t update to the latest version yet
18 Apr 2024	Case opened, first version of this casefile
19 Apr 2024	DIVD starts notifying network owners with a vulnerable instance in their network.
23 Apr 2024	DIVD closes the case. This vulnerability is scanned by more parties.

gantt title DIVD-2024-00013 - Palo Alto PAN-OS Command Injection Vulnerability in GlobalProtect dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2024-00013 - Palo Alto PAN-OS Command Injection Vulnerability in GlobalProtect (11 days) :2024-04-12, 2024-04-23 section Events DIVD starts researching this vulnerability. : milestone, 2024-04-12, 0d DIVD found a way to fingerprint vulnerable devices : milestone, 2024-04-13, 0d DIVD starts scanning the internet for vulnerable instances : milestone, 2024-04-13, 0d Palo Alto Networks released new firmware to fix the issue : milestone, 2024-04-14, 0d DIVD scanned a second time for finding vulnerable instances, which didn’t update to the latest version yet : milestone, 2024-04-17, 0d Case opened, first version of this casefile : milestone, 2024-04-18, 0d DIVD starts notifying network owners with a vulnerable instance in their network. : milestone, 2024-04-19, 0d DIVD closes the case. This vulnerability is scanned by more parties. : milestone, 2024-04-23, 0d

More information

Palo Alto Networks security advisory

DIVD CSIRT