Friday, 12th April 2024 – *UPDATED 19/04/2024*
*New ETA on patches has been given*
Introduction
Today Palo Alto Networks announced a command injection vulnerability in the GlobalProtect Gateway feature of PAN-OS. The vulnerability is currently unpatched but patches are expected on Sunday, 14th April 2024.
CVE-2024-3400 (CVSS v3.1: 10 [Critical]) may enable an unauthenticated remote attacker to execute arbitrary code with root privileges on the firewall.
Palo Alto Networks customers can upload a TSF technical support file to the Customer Support Portal to determine if their device logs match known IOC’s for this vulnerability.
Affected Products
Versions | Affected | Unaffected |
---|---|---|
Cloud NGFW | None | All |
PAN-OS 11.1 |
|
|
PAN-OS 11.0 |
|
|
PAN-OS 10.2 |
|
|
PAN-OS 10.1 | None | All |
PAN-OS 10.0 | None | All |
PAN-OS 9.1 | None | All |
PAN-OS 9.0 | None | All |
Prisma Access | None | All |
Workarounds
Palo Alto Networks have planned releases of the following hotfixes PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, and PAN-OS 11.1.2-h3 by the 14th of April.
Threat ID 95187, 95819 and 95191 (introduced in Applications and Threats content version 8833-8682) can block attacks for this vulnerability. Customers must also ensure that vulnerability protection has been applied to the GlobalProtect interface. More information is available here.
Security Recommendation
Security Advisor stated that disabling log telemetry is a mitigation, this is not the case anymore, if applied please reverse this action.
Palo Alto is urging customers to upgrade the PAN-OS version to protect their devices even if workarounds or mitigations are in place.
Palo Alto has provided the following list with the time when the mitigation will be provided:
PAN-OS 10.2:
- 10.2.9-h1 (Released 4/14/24)
- 10.2.8-h3 (Released 4/15/24)
- 10.2.7-h8 (Released 4/15/24)
- 10.2.6-h3 (Released 4/16/24)
- 10.2.5-h6 (Released 4/16/24)
- 10.2.4-h16 (Released 4/18/24)
- 10.2.3-h13 (Released 4/18/24)
- 10.2.2-h5 (Released 4/18/24)
- 10.2.1-h2 (Released 4/18/24)
- 10.2.0-h3 (Released 4/18/24)
PAN-OS 11.0:
- 11.0.4-h1 (Released 4/14/24)
- 11.0.4-h2 (Released 4/17/24)
- 11.0.3-h10 (Released 4/16/24)
- 11.0.2-h4 (Released 4/16/24)
- 11.0.1-h4 (Released 4/18/24)
- 11.0.0-h3 (Released 4/18/24)
PAN-OS 11.1:
- 11.1.2-h3 (Released 4/14/24)
- 11.1.1-h1 (Released 4/16/24)
- 11.1.0-h3 (Released 4/16/24)