Home > Security Bulletins > PAN-OS Command Injection Vulnerability in GlobalProtect Gateway (Critical)

PAN-OS Command Injection Vulnerability in GlobalProtect Gateway (Critical)

Palo Alto

Friday, 12th April 2024 – *UPDATED 19/04/2024*

*New ETA on patches has been given*

Introduction

Today Palo Alto Networks announced a command injection vulnerability in the GlobalProtect Gateway feature of PAN-OS. The vulnerability is currently unpatched but patches are expected on Sunday, 14th April 2024.

CVE-2024-3400 (CVSS v3.1: 10 [Critical]) may enable an unauthenticated remote attacker to execute arbitrary code with root privileges on the firewall.

Palo Alto Networks customers can upload a TSF technical support file to the Customer Support Portal to determine if their device logs match known IOC’s for this vulnerability.

Affected Products

Versions Affected Unaffected
Cloud NGFW None All
PAN-OS 11.1
  • < 11.1.0-h3
  • < 11.1.1-h1
  • < 11.1.2-h3
  • >= 11.1.0-h3
  • >= 11.1.1-h1
  • >= 11.1.2-h3
PAN-OS 11.0
  • < 11.0.2-h4
  • < 11.0.3-h10
  • < 11.0.4-h1
  • >= 11.0.2-h4
  • >= 11.0.3-h10
  • >= 11.0.4-h1
PAN-OS 10.2
  • < 10.2.5-h6
  • < 10.2.6-h3
  • < 10.2.7-h8
  • < 10.2.8-h3
  • < 10.2.9-h1
  • >= 10.2.5-h6
  • >= 10.2.6-h3
  • >= 10.2.7-h8
  • >= 10.2.8-h3
  • >= 10.2.9-h1
PAN-OS 10.1 None All
PAN-OS 10.0 None All
PAN-OS 9.1 None All
PAN-OS 9.0 None All
Prisma Access None All

Workarounds

Palo Alto Networks have planned releases of the following hotfixes  PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, and PAN-OS 11.1.2-h3 by the 14th of April.

Threat ID 95187, 95819 and 95191 (introduced in Applications and Threats content version 8833-8682) can block attacks for this vulnerability. Customers must also ensure that vulnerability protection has been applied to the GlobalProtect interface. More information is available here.

 

Security Recommendation

Security Advisor stated that disabling log telemetry is a mitigation, this is not the case anymore, if applied please reverse this action.

Palo Alto is urging customers to upgrade the PAN-OS version to protect their devices even if workarounds or mitigations are in place.

Palo Alto has provided the following list with the time when the mitigation will be provided:

PAN-OS 10.2:
- 10.2.9-h1 (Released 4/14/24)
- 10.2.8-h3 (Released 4/15/24)
- 10.2.7-h8 (Released 4/15/24)
- 10.2.6-h3 (Released 4/16/24)
- 10.2.5-h6 (Released 4/16/24)
- 10.2.4-h16 (Released 4/18/24)
- 10.2.3-h13 (Released 4/18/24)
- 10.2.2-h5 (Released 4/18/24)
- 10.2.1-h2 (Released 4/18/24)
- 10.2.0-h3 (Released 4/18/24)

PAN-OS 11.0:
- 11.0.4-h1 (Released 4/14/24)
- 11.0.4-h2 (Released 4/17/24)
- 11.0.3-h10 (Released 4/16/24)
- 11.0.2-h4 (Released 4/16/24)
- 11.0.1-h4 (Released 4/18/24)
- 11.0.0-h3 (Released 4/18/24)

PAN-OS 11.1:
- 11.1.2-h3 (Released 4/14/24)
- 11.1.1-h1 (Released 4/16/24)
- 11.1.0-h3 (Released 4/16/24)