Black Arrow Cyber Alert 17 April 2024 – Major Palo Alto Security Flaw Actively Exploited by Highly Capable Actors
Executive summary
Palo Alto have issued a critical alert for an actively exploited attack in the GlobalProtect feature of PAN-OS software use in its firewall products. Successful exploitation allows an attacker to execute code with root privileges, the highest available. Third parties have since disclosed a proof of concept for the exploit.
What’s the risk to me or my business?
The exploit applies only to applicable only to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal. Organisations falling under this umbrella are leaving themselves at risk of allowing an attacker to perform code with root privileges, impacting the confidentiality, integrity and availability of data. Device telemetry does not need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.
Whether you have a GlobalProtect gateway or GlobalProtect portal configured can be verified by checking for entries in your firewall web interface (Network > GlobalProtect > Gateways or Network > GlobalProtect > Portals).
Palo Alto has listed the following versions as vulnerable:
PAN-OS 10.2: < 11.1.0-h3, < 11.1.1-h1, < 11.1.2-h3
PAN-OS 11.0: < 11.0.2-h4, < 11.0.3-h10, < 11.0.4-h1
PAN-OS 11.1: < 10.2.5-h6, < 10.2.6-h3, < 10.2.7-h8, < 10.2.8-h3, < 10.2.9-h1
The issue is fixed in hotfix releases of PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and in all later PAN-OS versions. A full list of ETA’s of hotfixes are available in the advisory by Palo Alto.
What can I do?
Black Arrow recommends following Palo Alto’s advice and applying the available fixes immediately even if workarounds and mitigations have been applied as previous mitigations are no longer effective. If an update is not available, it is recommended that the advisory is checked to see when an one will be made available. The latest expected update is currently planned for 19 April 2024.
Technical Summary
CVE-2024-3400 - A command Injection Vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software which can allow an unauthenticated attacker to execute code with root privileges.
Further information can be found here:
https://security.paloaltonetworks.com/CVE-2024-3400
Need help understanding your gaps, or just want some advice? Get in touch with us.
#threatadvisory #threatintelligence #cybersecurity