======================================================================

                                CERT-Renater

                   Note d'Information No. 2024/VULN201
_____________________________________________________________________

DATE                : 17/04/2024

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): PAN-OS versions prior to 11.1.0-h3, 11.1.1-h1,
                      11.1.2-h3, 11.0.2-h4, 11.0.3-h10, 11.0.4-h1,
               10.2.5-h6, 10.2.6-h3, 10.2.7-h8, 10.2.8-h3, 10.2.9-h1.

=====================================================================
https://securityadvisories.paloaltonetworks.com/CVE-2024-3400
_____________________________________________________________________

CVE-2024-3400 PAN-OS: OS Command Injection Vulnerability in
GlobalProtect
047910

Severity 10 · CRITICAL

Urgency HIGHEST
Response Effort MODERATE
Recovery USER
Value Density CONCENTRATED
Attack Vector NETWORK
Attack Complexity LOW
Attack Requirements NONE
Automatable YES
User Interaction NONE
Product Confidentiality HIGH
Product Integrity HIGH
Product Availability HIGH
Privileges Required NONE
Subsequent Confidentiality HIGH
Subsequent Integrity HIGH
Subsequent Availability HIGH

Published 2024-04-12
Updated 2024-04-17
Reference PAN-252214
Discovered in production use


Description

A command injection vulnerability in the GlobalProtect feature of
Palo Alto Networks PAN-OS software for specific PAN-OS versions and
distinct feature configurations may enable an unauthenticated
attacker to execute arbitrary code with root privileges on the
firewall.

Cloud NGFW, Panorama appliances, and Prisma Access are not impacted
by this vulnerability.

Customers should continue to monitor this security advisory for the
latest updates and product guidance.

Product Status

Versions        Affected         Unaffected

Cloud NGFW 	None	All

PAN-OS 11.1	< 11.1.0-h3, < 11.1.1-h1, < 11.1.2-h3	
       >= 11.1.0-h3, >= 11.1.1-h1, >= 11.1.2-h3

PAN-OS 11.0	< 11.0.2-h4, < 11.0.3-h10, < 11.0.4-h1
       >= 11.0.2-h4, >= 11.0.3-h10, >= 11.0.4-h1 (See
        additional hotfixes in Solution section)

PAN-OS 10.2	< 10.2.5-h6, < 10.2.6-h3, < 10.2.7-h8,
< 10.2.8-h3, < 10.2.9-h1
       >= 10.2.5-h6, >= 10.2.6-h3, >= 10.2.7-h8, >= 10.2.8-h3, >= 
10.2.9-h1 (See additional hotfixes
in Solution section)

PAN-OS 10.1	None	All

PAN-OS 10.0	None	All

PAN-OS 9.1	None	All

PAN-OS 9.0	None	All

Prisma Access 	None	All


Required Configuration for Exposure

This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS
11.1 firewalls configured with GlobalProtect gateway or GlobalProtect
portal (or both). Device telemetry does not need to be enabled for
PAN-OS firewalls to be exposed to attacks related to this
vulnerability.

You can verify whether you have a GlobalProtect gateway or
GlobalProtect portal configured by checking for entries in your
firewall web interface (Network > GlobalProtect > Gateways or
Network > GlobalProtect > Portals).


Severity: CRITICAL

CVSSv4.0 Base Score: 10
(CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:Y/R:U/V:C/RE:M/U:Red)


Exploitation Status

Palo Alto Networks is aware of an increasing number of attacks that
leverage the exploitation of this vulnerability. Proof of concepts
for this vulnerability have been publicly disclosed by third parties.

More information about the vulnerability's exploitation in the wild
can be found in the Unit 42 threat brief:
https://unit42.paloaltonetworks.com/cve-2024-3400/.

Weakness Type

CWE-77 Improper Neutralization of Special Elements used in a Command
('Command Injection')


Solution

We strongly advise customers to immediately upgrade to a fixed version
of PAN-OS to protect their devices even when workarounds and
mitigations have been applied.

This issue is fixed in hotfix releases of PAN-OS 10.2.9-h1,
PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and in all later PAN-OS versions.
Hotfixes for other commonly deployed maintenance releases will also
be made available to address this issue. Please see details below
for ETAs regarding the upcoming hotfixes.

PAN-OS 10.2:
- 10.2.9-h1 (Released 4/14/24)
- 10.2.8-h3 (Released 4/15/24)
- 10.2.7-h8 (Released 4/15/24)
- 10.2.6-h3 (Released 4/16/24)
- 10.2.5-h6 (Released 4/16/24)
- 10.2.3-h13 (ETA: 4/17/24)
- 10.2.1-h2 (ETA: 4/17/24)
- 10.2.2-h5 (ETA: 4/18/24)
- 10.2.0-h3 (ETA: 4/18/24)
- 10.2.4-h16 (ETA: 4/19/24)

PAN-OS 11.0:
- 11.0.4-h1 (Released 4/14/24)
- 11.0.3-h10 (Released 4/16/24)
- 11.0.2-h4 (Released 4/16/24)
- 11.0.1-h4 (ETA: 4/17/24)
- 11.0.0-h3 (ETA: 4/18/24)

PAN-OS 11.1:
- 11.1.2-h3 (Released 4/14/24)
- 11.1.1-h1 (Released 4/16/24)
- 11.1.0-h3 (Released 4/16/24)


Workarounds and Mitigations

Recommended Mitigation: Customers with a Threat Prevention
subscription can block attacks for this vulnerability using Threat
IDs 95187, 95189, and 95191 (available in Applications and Threats
content version 8836-8695 and later). Please monitor this advisory
and new Threat Prevention content updates for additional Threat
Prevention IDs around CVE-2024-3400.

To apply the Threat IDs, customers must ensure that vulnerability
protection has been applied to their GlobalProtect interface to
prevent exploitation of this issue on their device. Please see
https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/ta-p/340184
for more information.

In earlier versions of this advisory, disabling device telemetry was
listed as a secondary mitigation action. Disabling device telemetry
is no longer an effective mitigation. Device telemetry does not need
to be enabled for PAN-OS firewalls to be exposed to attacks related
to this vulnerability.


Acknowledgments
Palo Alto Networks thanks Volexity for detecting and identifying
this issue.


Frequently Asked Questions
Q. Has this issue been exploited in the wild?

     Palo Alto Networks is aware of an increasing number of attacks
that leverage the exploitation of this vulnerability. Proof of
concepts for this vulnerability have been publicly disclosed by
third parties.

Q. Are there any checks I can run on my device to look for indicators
of exploit activity?

     The following command can be used from the PAN-OS CLI to help
identify indicators of exploit activity on the device:
     grep pattern "failed to unmarshal session(.\+.\/" mp-log gpsvc.log*

     Benign "failed to unmarshal session" error logs typically appear
like the following entry:
     "message":"failed to unmarshal 
session(01234567-89ab-cdef-1234-567890abcdef)"

     If the value between "session(" and ")" does not look like a GUID
(the format shown above), but instead contains a file system path,
this indicates the need for further investigation and the log entry
could be related to the successful or unsuccessful exploitation of
CVE-2024-3400.

Q. Has my device been compromised by this vulnerability?

     Customers are able to open a case in the Customer Support Portal
(CSP) and upload a technical support file (TSF) to determine if
their device logs match known indicators of compromise (IoC) for this
vulnerability.

Q. Where can I find additional indicators of compromise for this issue?

     Please refer to the Unit42 Threat Brief
(https://unit42.paloaltonetworks.com/cve-2024-3400/) and the Volexity
blog post 
(https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/)
for the latest information.

Q. Are VMs deployed and managed by customers in the cloud impacted?

     While Cloud NGFW firewalls are not impacted, specific PAN-OS
versions and distinct feature configurations of firewall VMs deployed
and managed by customers in the cloud are impacted.


Timeline
2024-04-17
Added new Threat Prevention Threat ID to Workarounds and Mitigations

2024-04-17
Added a CLI command to search for possible indicators of exploit
activity

2024-04-16
Updated product and mitigation guidance, exploit status, and PAN-OS
fix availability

2024-04-15
PAN-OS fixes are now available and more fixes on the way, clarified
Workarounds and Mitigations when using Panorama templates

2024-04-14
Clarified impact on GlobalProtect portal configurations

2024-04-13
Added link to Unit42 threat brief and clarified impact to
customer-managed VMs in the cloud

2024-04-12
Initial publication

=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================