Exploit
CVE-2024-3400

Improper Neutralization of Special Elements used in a Command ('Command Injection') (CWE-77)

Published: Apr 12, 2024 / Updated: 7mo ago

010
CVSS 10EPSS 96.47%Critical
CVE info copied to clipboard

Summary

A command injection vulnerability exists in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions (10.2, 11.0, and 11.1) and distinct feature configurations. This vulnerability allows an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Cloud NGFW, Panorama appliances, Prisma Access, and all other versions of PAN-OS are not affected by this vulnerability.

Impact

This vulnerability is extremely severe, with the highest possible CVSS base score of 10.0. An unauthenticated attacker could fully compromise the firewall and gain complete control over it with root privileges. The potential impacts include: 1. Theft of sensitive data 2. Disruption of network operations 3. Using the compromised device as a launchpad for further attacks The vulnerability affects confidentiality, integrity, and availability, all with HIGH impact. The attack vector is through the network, requires low complexity, and needs no user interaction, making it particularly dangerous. Multiple proof-of-concept exploits are available, and the vulnerability is actively being exploited in the wild.

Exploitation

Multiple proof-of-concept exploits are available on paloaltonetworks.com, volexity.com, github.com, github.com. The vulnerability is actively being exploited in the wild and was added to the CISA Known Exploited Vulnerability list. Its exploitation has been reported by various sources, including helpnetsecurity.com, paloaltonetworks.com. Malware such as Pantegana (source:Newswires), Spark (source:Newswires), redtail (source:Security Boulevard), UPSTYLE (source:The Hacker News) are known to have weaponized this vulnerability. Threat actors including Fox Kitten (source:ComputerWeekly.com), Lazarus Group (source:Blog), UTA0218 (source:Ars Technica) have reportedly exploited this vulnerability.

Patch

Fixes for PAN-OS versions 10.2, 11.0, and 11.1 are in development and are expected to be released by April 14, 2024. It is crucial to apply these patches as soon as they become available.

Mitigation

While waiting for the patches to be released, the following mitigation steps are recommended: 1. Restrict access to the GlobalProtect interface to trusted networks only. 2. Implement strict network segmentation to limit exposure. 3. Monitor for any suspicious activities or unauthorized access attempts. 4. Keep systems and software up to date with the latest security patches. 5. Consider temporarily disabling the GlobalProtect feature if it's not critical for operations, until the patch is available and applied.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Timeline

Exploitation in the Wild

Attacks in the wild have been reported by inthewild.io.

Apr 12, 2024 at 12:00 AM / inthewild.io
Exploitation in the Wild

Attacks in the wild have been reported by CISA Known Exploited Vulnerability.

Apr 12, 2024 at 6:25 AM / CISA Known Exploited Vulnerability
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Qualys (731378)

Apr 12, 2024 at 7:53 AM
CVE Assignment

NVD published the first details for CVE-2024-3400

Apr 12, 2024 at 8:15 AM
First Article

Feedly found the first article mentioning CVE-2024-3400. See article

Apr 12, 2024 at 8:21 AM / Help Net Security
Exploitation in the Wild

Attacks in the wild have been reported by Help Net Security. See article

Apr 12, 2024 at 8:21 AM / Help Net Security
EPSS

EPSS Score was set to: 0.04% (Percentile: 8%)

Apr 12, 2024 at 9:37 AM
Detection in Vulnerability Scanners

Detection for the vulnerability has been added to Nessus (193255)

Apr 12, 2024 at 1:15 PM
Threat Intelligence Report

The critical command injection vulnerability CVE-2024-3400 in Palo Alto Networks PAN-OS software allows unauthenticated attackers to execute code with root privileges on the firewall, with a CVSS score of 10.0. Palo Alto Networks and Unit 42 are actively tracking this vulnerability and collaborating with researchers, partners, and customers to share information and provide protections and mitigations. Customers can refer to Palo Alto Networks' security advisory for guidance on mitigating the vulnerability, and the Next-Generation Firewall with Advanced Threat Prevention subscription can help block exploitation via a specific Threat Prevention signature. See article

Apr 12, 2024 at 5:01 PM
Static CVE Timeline Graph

Affected Systems

Paloaltonetworks/pan-os
+null more

Exploits

https://unit42.paloaltonetworks.com/cve-2024-3400/
+null more

Proof Of Exploit

https://www.cisa.gov/known-exploited-vulnerabilities-catalog
+null more

Patches

security.paloaltonetworks.com
+null more

Links to Malware Families

UPSTYLE
+null more

Links to Threat Actors

UTA0218
+null more

Links to Mitre Att&cks

T1562.003: Impair Command History Logging
+null more

Attack Patterns

CAPEC-136: LDAP Injection
+null more

References

Operation Diplomatic Specter: An Active Chinese Cyberespionage Campaign Leverages Rare Tool Set to Target Governmental Entities in the Middle East, Africa and Asia
Our investigation revealed strong connections and overlaps that tie the group behind Operation Diplomatic Specter to the Chinese nexus of espionage-focused threat actors. The tactics observed as part of this campaign show the extent to which Chinese state-aligned threat actors attempt to gather information about affairs beyond the Asian region, even extending into the Middle East and Africa.
Vulnerability Protection for CVE-2024-3400
TL;DR: ensure you are applying Vulnerability Prevention to web-browsing traffic hitting your GP portal interface, if you rely on the intrazone-default allow Thanks to the default, intrazone-default rule, this traffic was permitted without Threat Prevention being applied.
Re: Slow GlobalProtect on PA-1410
Users will connect to GP, go to the file server, go to open an Excel file and you'll see Excel saying it is opening a file and watch the percentage go up. Watching the GP adapter in Windows task manager will never see usage more than 25mbit.
See 106 more references

News

Palo Alto Networks zero-day firewall flaws caused by basic dev mistakes
Palo Alto issued an advisory earlier this month warning customers it was investigating reports of a potential remote code execution (RCE) vulnerability in the PAN-OS web-based management interface and advised them to follow the recommended steps to secure access to that interface. When combined, the flaws allow attackers to execute malicious code with the highest possible privileges on the underlying PAN-OS operating system, taking full control of the devices.
Palo Alto Networks zero-day firewall flaws caused by basic dev mistakes
Attackers are chaining two flaws in the wild to bypass authentication and escalate privileges via the PAN-OS management web interface to gain root privileges on Palo Alto Networks firewalls. Palo Alto issued an advisory earlier this month warning customers it was investigating reports of a potential remote code execution (RCE) vulnerability in the PAN-OS web-based management interface and advised them to follow the recommended steps to secure access to that interface .
2 Palo Alto Networks zero-day vulnerabilities under attack
Palo Alto Networks warned that attackers are now exploiting two zero-day vulnerabilities in its firewall management interfaces that could allow threat actors to gain highly privileged access. In research published on Monday, Palo Alto Networks' Unit 42 detailed an investigation into ongoing attacks against two zero-day vulnerabilities in its web management interface.
Pots and Pans, AKA an SSLVPN - Palo Alto PAN-OS CVE-2024-0012 and CVE-2024-9474
Looking at the script, it appears that this header simply disables checking authentication - a totally normal and sensible thing to do in a hardened web appliance, obviously. We spent quite some time looking through the nginx config, Apache config, and the PHP scripts themselves to figure out why this was happening, and after a lot of effort we discovered the entry point to the PHP application is actually intended to be another, totally different PHP script.
Palo Alto Networks confirms mystery zero day now exploited: No patch, no CVE
The incident comes after an unknown threat actor was seen touting a Palo Alto Networks zero day on exploit forums – with the US-based security vendor on November 11 urging customers to pull their management interfaces off the public internet or restrict them to known IP addresses. This represents the third major vulnerability affecting Palo Alto Networks products under active exploitation this year, after CVE-2024-3400 and CVE-2024-5910 were also abused to target the firm’s customers.
See 1428 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Changed
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI