Now on Demand: Threat Detection and Incident Response (TDIR) Summit - All Sessions Available
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Thousands of Palo Alto Firewalls Potentially Impacted by Exploited Vulnerability 

Shadowserver has identified roughly 6,000 internet-accessible Palo Alto Networks firewalls potentially vulnerable to CVE-2024-3400.

Palo Alto Networks

There are roughly 6,000 internet-accessible Palo Alto Networks firewalls potentially affected by a recently addressed exploited vulnerability, the Shadowserver Foundation reports.

Palo Alto Networks disclosed the flaw on April 12 and started rolling out patches a couple of days later. The issue had been targeted by state-sponsored threat actors and its exploitation surged last week, as proof-of-concept (PoC) code was published.

The issue, tracked as CVE-2024-3400 (CVSS score of 10/10), is described as a command injection in the GlobalProtect feature of PAN-OS, the operating system running on Palo Alto Networks’ appliances.

According to the vendor’s updated advisory, the flaw is rooted in an arbitrary file creation defect and, under specific conditions, can be exploited without authentication to execute arbitrary code with root privileges on a vulnerable firewall.

Initially, Palo Alto Networks said that only appliances with the GlobalProtect gateway feature configured and device telemetry enabled are vulnerable, and recommended disabling device telemetry as a mitigation.

The revised version of the advisory, however, removes the device telemetry mentions and points out that disabling the feature is no longer considered an effective mitigation.

“Device telemetry does not need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability,” the vendor notes.

In an April 19 blog post, Palo Alto Networks explained that CVE-2024-3400 was rooted in two PAN-OS flaws leading to unauthenticated remote shell command execution when combined.

Advertisement. Scroll to continue reading.

The first bug existed because the GlobalProtect service failed to sufficiently validate the session ID format before storage, allowing an attacker to send a crafted shell command and create an empty file with an embedded command as the filename.

The second issue was that the OS trusted that the file was system-generated, leading to a scheduled system job to use the filename in a command, thus executing the attacker-supplied command with elevated privileges.

While the successful exploitation of the first bug would only lead to the creation of an empty file with a specific filename, the exploitation of the second would allow attackers to steal sensitive information or deploy malware.

“A highly sophisticated threat actor discovered that by uniquely combining the two bugs, they could perform a two-stage attack to achieve command execution on the vulnerable device,” Palo Alto Networks says.

The vendor recommended disabling device telemetry as it prevented the system cron job from running, thus preventing the command execution, but later discovered additional methods of exploiting CVE-2024-3400 that did not require telemetry to be enabled.

“The fix effectively removes the two problems in code that enabled this vulnerability to manifest. First, the session IDs are sufficiently validated before being stored. Then, the code that enabled command injection was rewritten using defensive programming techniques,” Palo Alto Networks says.

The company also notes that Threat Prevention signatures released on April 11 could fully block all known suspicious patterns in session IDs, and that roughly 90% of its customers have applied the mitigation.

On Friday, Shadowserver Foundation said it had observed more than 22,000 potentially vulnerable Palo Alto Networks GlobalProtect instances connected to the internet. As of April 21, data from the security organization shows roughly 6,000 potentially vulnerable instances.

Related: Thousands of Ivanti VPN Appliances Impacted by Recent Vulnerability

Related: Recent Fortinet FortiClient EMS Vulnerability Exploited in Attacks

Related: Recent Zero-Day Could Impact Up to 97,000 Microsoft Exchange Servers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.

Register

People on the Move

Fastly announced that Scott Lovett will join the company as Chief Revenue Officer, effective June 3, 2024.

Digital transformation consulting firm Synechron has hired Aaron Momin as CISO.

Wendy Zheng named as CFO and Joe Diamond as CMO at cyber asset management firm Axonius.

More People On The Move

Expert Insights