Cybersecurity blog header

CVE-2024-3400: Unauthenticated code injection in PAN-OS

- S.T.A².R.S Team

CVE-2024-3400 affects the PAN-OS software of Palo Alto Networks

CVE-2024-3400 affects Palo Alto Networks PAN-OS software used to manage the first layer of defense for many enterprises

A critical command injection vulnerability has been recently published affecting Palo Alto Networks PAN-OS software, which would allow an unauthenticated attacker to execute arbitrary code with root privileges on the affected firewalls. The vulnerability, assigned CVE-2024-3400, has a CVSS score of 10.0.

PAN-OS software is the operating system that runs on Palo Alto Networks next-generation firewalls and is responsible for managing the first layer of defense of many companies.

The vulnerability only applies to PAN-OS 10.2, PAN-OS 11.0 and PAN-OS 11.1 versions configured with GlobalProtect Gateway or GlobalProtect Portal and device telemetry enabled. This issue does not affect Cloud NGFWs, Panorama or Prisma Access appliances.

Main features of CVE-2024-3400

The main characteristics of this vulnerability are detailed below:

  • CVE Identifier: CVE-2024-3400
  • Release date: 12/04/2024
  • Affected software: Palo Alto Networks PAN-OS 10.2, PAN-OS 11.0 y PAN-OS 11.1
  • CVSS Score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (10.0 Critical)
  • Affected versions
    • PAN-OS 11.1 < 11.1.2-h3
    • PAN-OS 11.0 < 11.0.4-h1
    • PAN-OS 10.2 < 10.2.7-h8, < 10.2.8-h3, < 10.2.9-h1
  • Exploitation Requirements
    • The software must have GlobalProtect Gateway o GlobalProtect Portal enabled.
    • Telemetry of devices must be enabled.

Mitigation

The main solution is to urgently upgrade the PAN-OS software to one of the patched versions that fix this vulnerability:

PAN-OS 10.2

  • 10.2.9-h1 (Released 4/14/24)
  • 10.2.8-h3 (Released 4/15/24)
  • 10.2.7-h8 (Released 4/15/24)
  • 10.2.6-h3 (ETA: 4/16/24)
  • 10.2.5-h6 (ETA: 4/16/24)
  • 10.2.3-h13 (ETA: 4/17/24)
  • 10.2.1-h2 (ETA: 4/17/24)
  • 10.2.2-h5 (ETA: 4/18/24)
  • 10.2.0-h3 (ETA: 4/18/24)
  • 10.2.4-h16 (ETA: 4/19/24)

PAN-OS 11.0

  • 11.0.4-h1 (Released 4/14/24)
  • 11.0.3-h10 (ETA: 4/16/24)
  • 11.0.2-h4 (ETA: 4/16/24)
  • 11.0.1-h4 (ETA: 4/17/24)
  • 11.0.0-h3 (ETA: 4/18/24)

PAN-OS 11.1

  • 11.1.2-h3 (Released 4/14/24)
  • 11.1.1-h1 (ETA: 4/16/24)
  • 11.1.0-h3 (ETA: 4/17/24)

Palo Alto Networks has released a blog post with official information and updates regarding this vulnerability.

Vulnerability detection of CVE-2024-3400

The presence of the vulnerability CVE-2024-3400 can be identified by the version number.

As part of its emerging vulnerabilities service, Tarlogic proactively monitors the perimeter of its clients to report, detect, and urgently notify of the presence of this vulnerability, as well as other critical threats that could have a serious impact on the security of their assets.

Indicators of compromise

An active exploitation of this vulnerability has been detected, which upon compromise installs a backdoor that has been named as UPSTYLE.

Among many other layers of the backdoor, the main one deploys a Python script called update.py, which’s SHA-256 signature can be found below:

SHA-265:

3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac

This file has been discovered in the following origins, although it cannot be discarded the possibility of finding it in different ones:

  • 144.172.79[.]92
  • nhdata.s3-us-west-2.amazonaws[.]com

References

  • https://unit42.paloaltonetworks.com/cve-2024-3400/
  • https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/