=====================================================================

                                 CERT-Renater

                      Note d'Information No. 2024/VULN191
_____________________________________________________________________

DATE                : 12/04/2024

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): PAN-OS versions prior to 11.1.2-h3, 11.0.4-h1,
                                       10.2.9-h1.

=====================================================================
https://security.paloaltonetworks.com/CVE-2024-3400
_____________________________________________________________________

Palo Alto Networks Security Advisories / CVE-2024-3400
CVE-2024-3400 PAN-OS: OS Command Injection Vulnerability in
GlobalProtect Gateway


Severity 10 · CRITICAL
Urgency HIGHEST
Response Effort MODERATE
Recovery USER
Value Density CONCENTRATED
Attack Vector NETWORK
Attack Complexity LOW
Attack Requirements NONE
Automatable YES
User Interaction NONE
Product Confidentiality HIGH
Product Integrity HIGH
Product Availability HIGH
Privileges Required NONE
Subsequent Confidentiality HIGH
Subsequent Integrity HIGH
Subsequent Availability HIGH
NVD JSON

Published 2024-04-12
Updated 2024-04-12
Reference PAN-252214


Discovered in production use

Description

A command injection vulnerability in the GlobalProtect feature of
Palo Alto Networks PAN-OS software for specific PAN-OS versions
and distinct feature configurations may enable an unauthenticated
attacker to execute arbitrary code with root privileges on the
firewall.

Fixes for PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 are in
development and are expected to be released by April 14, 2024.
Cloud NGFW, Panorama appliances, and Prisma Access are not
impacted by this vulnerability. All other versions of PAN-OS
are also not impacted.


Product Status

Versions        Affected        Unaffected
Cloud NGFW      None            All
PAN-OS 11.1     < 11.1.2-h3     >= 11.1.2-h3 (ETA: By 4/14)
PAN-OS 11.0     < 11.0.4-h1     >= 11.0.4-h1 (ETA: By 4/14)
PAN-OS 10.2     < 10.2.9-h1     >= 10.2.9-h1 (ETA: By 4/14)
PAN-OS 10.1     None            All
PAN-OS 10.0     None            All
PAN-OS 9.1      None            All
PAN-OS 9.0      None            All
Prisma Access   None            All


Required Configuration for Exposure

This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0,
and PAN-OS 11.1 firewalls with the configurations for both
GlobalProtect gateway and device telemetry enabled.

You can verify whether you have a GlobalProtect gateway
configured by checking for entries in your firewall web
interface (Network > GlobalProtect > Gateways) and verify
whether you have device telemetry enabled by checking your
firewall web interface (Device > Setup > Telemetry).


Severity: CRITICAL

CVSSv4.0 Base Score: 10 
(CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:Y/R:U/V:C/RE:M/U:Red)


Exploitation Status

Palo Alto Networks is aware of a limited number of attacks
that leverage the exploitation of this vulnerability.


Weakness Type

CWE-77 Improper Neutralization of Special Elements used in
a Command ('Command Injection')


Solution

This issue will be fixed in hotfix releases of PAN-OS 10.2.9-h1
(ETA: By 4/14), PAN-OS 11.0.4-h1 (ETA: By 4/14), and
PAN-OS 11.1.2-h3 (ETA: By 4/14), and in all later PAN-OS
versions.


Workarounds and Mitigations

Recommended Mitigation: Customers with a Threat Prevention
subscription can block attacks for this vulnerability by enabling
Threat ID 95187 (introduced in Applications and Threats content
version 8833-8682).

In addition to enabling Threat ID 95187, customers must ensure
vulnerability protection has been applied to their GlobalProtect
interface to prevent exploitation of this issue on their device.
Please see
https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/ta-p/340184
for more information.

If you are unable to apply the Threat Prevention based mitigation
at this time, you can still mitigate the impact of this
vulnerability by temporarily disabling device telemetry until
the device is upgraded to a fixed PAN-OS version. Once upgraded,
device telemetry should be re-enabled on the device.

Please see the following page for details on how to temporarily
disable device telemetry:
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/device-telemetry/device-telemetry-configure/device-telemetry-disable.


Acknowledgments

Palo Alto Networks thanks Volexity for detecting and identifying
this issue.

Frequently Asked Questions

Q. Has this issue been exploited in the wild?

     Palo Alto Networks is aware of a limited number of attacks that
leverage the exploitation of this vulnerability.

Q. Has my device been compromised by this vulnerability?

     Customers are able to open a case in the Customer Support
Portal (CSP) and upload a technical support file (TSF) to determine
if their device logs match known indicators of compromise (IoC)
for this vulnerability.


Timeline

2024-04-12

Initial publication


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================