Exploit Code Released for Critical PAN-OS Vulnerability, Immediate Patching Urged

April 16, 2024

An exploit code for a high-risk vulnerability in Palo Alto Networks' PAN-OS firewall software is now available. The vulnerability, known as CVE-2024-3400, allows threat actors without authentication to execute arbitrary code as root through command injection. This vulnerability particularly affects PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls if the device telemetry and GlobalProtect (gateway or portal) feature are enabled.

Palo Alto Networks has begun rolling out hotfixes to secure firewalls that are exposed to attacks. However, this vulnerability has been exploited in the wild since March 26th to backdoor firewalls using Upstyle malware, pivot to internal networks, and steal data. The group believed to be behind these attacks is thought to be state-sponsored and is tracked as UTA0218.

Shadowserver, a security threat monitoring platform, reports seeing more than 156,000 PAN-OS firewall instances on the Internet daily, although it doesn't specify how many of these are vulnerable. Yutaka Sejiyama, a threat researcher, found over 82,000 firewalls vulnerable to CVE-2024-34000 attacks on Friday, 40% of which were located in the United States.

WatchTowr Labs released a detailed analysis of the vulnerability and a proof-of-concept exploit that can execute shell commands on unpatched firewalls, a day after Palo Alto Networks began releasing hotfixes for CVE-2024-3400. 'As we can see, we inject our command injection payload into the SESSID cookie value - which, when a Palo Alto GlobalProtect appliance has telemetry enabled - is then concatenated into a string and ultimately executed as a shell command,' WatchTowr Labs stated. Justin Elze, TrustedSec's Chief Technology Officer, also shared an exploit seen in real attacks, which allows attackers to download the firewall's configuration file.

In response to these attacks, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-3400 to its Known Exploited Vulnerabilities (KEV) catalog on Friday, instructing U.S. federal agencies to secure their devices within seven days, by April 19th. As a temporary measure, it is advised to disable the device telemetry feature on vulnerable devices until a patch is available. Furthermore, for those with an active 'Threat Prevention' subscription, activating 'Threat ID 95187' can block ongoing attacks.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.