CVE-2024-3400 – PAN-OS OS Command Injection Vulnerability in GlobalProtect Gateway
Billy Hoffman
Unauthenticated, remote attackers can execute arbitrary OS commands with root privileges against certain Palo Alto’s GlobalProtect firewalls, using a just announced critical severity vulnerability which is being actively exploited in the wild.
While limited to specific versions and configurations, unauthenticated remote command execution vulnerabilities are among the most severe security vulnerabilities that exist. Indeed, CVE-2024-3400 has a critical 10 out of 10 rating under CVSS.
Palo Alto Networks (PAN) has a detailed post on the issue with affected versions. Security patches are expected to be released by April 14, 2024. Until then PAN customers can protect themselves by disabling the device telemetry feature of the impacted assets.
It is critical for security teams to identify if and where PAN GlobalProtect assets exist inside their organization. As firewalls, these vulnerable assets sit in your external attack surface. Security organizations should consider not just assets IT directly controls, but to recognize that vulnerable assets could also be deployed inside of subsidiaries, recently acquired companies, or satellite offices, and be run under different Palo Alto accounts and contracts. These are just some of the many factors that make it difficult for organizations to have an accurate view of their entire asset inventory.
In the coming weeks, once everyone has implemented mitigations and applied security updates, organizations should reflect on how long or how difficult it was for them to answer the question “Do we have vulnerable PAN assets in our organization, and if so where?”
For IONIX customers, who are receiving a complete view of their external attack surface, CVE-2024-3400 details can be viewed in our Threat Center and linked to any vulnerable PAN GlobaProtect assets in their organization:
The links below have additional information:
