Palo Alto Command Injection Vulnerability in PAN-OS GlobalProtect

Our advisories highlight current cyber security threats and vulnerabilities in New Zealand, and provide guidance on how to mitigate their impact.

Subscribe to our updates to be notified as soon as we publish an advisory.

12:00am, 12 April 2024

TLP Rating: Clear

Palo Alto Command Injection Vulnerability in PAN-OS GlobalProtect

UPDATE: 17/04/2024

A critical vulnerability (CVE-2024-3400) is being exploited and may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.

This vulnerability affects certain Palo Alto Networks Operating System (PAN-OS) products using GlobalProtect Gateway.

Patches are now available and we encourage organisations to continue monitoring the vendor advisory for further updates. Note that mitigation actions have been changed (17/04/2024).

What's happening

Systems affected

This vulnerability applies to the following versions of PAN-OS and requires configurations for both GlobalProtect gateway and device telemetry to be enabled.

  • PAN-OS 11.1 – versions earlier than 11.1.2-h3
  • PAN-OS 11.0 – versions earlier than 11.0.4-h1
  • PAN-OS 10.2 – versions earlier than 10.2.9-h1

Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability

What to look for

How to tell if you're affected

You can upload a Technical Support File (TSF) to the Palo Alto Customer Support Portal (CSP) to determine if your device logs match known indicators of compromise (IoC).

What to do

Prevention

Patches are available for this vulnerability.

Upgrade your Palo Alto PAN-OS to one of the following versions (or later).

  • 11.1.2-h3
  • 11.0.4-h1
  • 10.2.9-h1

Check the Palo Alto Networks site for updates on this. (see links below).

Hotfixes for other commonly deployed maintenance releases will also be made available to address this issue. 

Mitigation

Threat Prevention subscribers can block attacks for this vulnerability by enabling Threat ID 95187.

NOTE: Our original advisory said to disable device telemetry as a mitigation; the vendor advises this is no longer the case.

More information

Official Palo Alto Networks Site:

CVE-2024-3400 PAN-OS: OS Command Injection Vulnerability in GlobalProtect (paloaltonetworks.com) External Link

If you require more information or further support, submit a report on our website or contact us on 0800 CERTNZ.

Report an incident to CERT NZ