Critical PAN-OS Flaw (CVE-2024-3400) Actively Exploited for Remote Code Execution

Executive Summary

In April 2024, a critical zero-day vulnerability, CVE-2024-3400, was discovered in Palo Alto Networks PAN-OS software. This command injection flaw, rated with a CVSS score of 10.0, allows an unauthenticated attacker to achieve remote code execution (RCE) with root privileges on affected firewalls. The vulnerability was found to be under active exploitation by a threat actor identified by Volexity as UTA0218, believed to be a state-sponsored group. The attackers exploited the flaw to deploy a custom backdoor, enabling them to pivot to internal networks and exfiltrate sensitive data. Due to the active exploitation and the severity of the vulnerability, organizations using affected PAN-OS versions with GlobalProtect configured are at extreme risk and must apply patches immediately.

Vulnerability Details

The vulnerability, CVE-2024-3400, is a command injection flaw within the GlobalProtect feature of PAN-OS. An unauthenticated attacker can send a specially crafted network request to a vulnerable GlobalProtect gateway or portal to execute arbitrary commands on the firewall's underlying operating system. The commands are executed with root privileges, giving the attacker complete control over the device. This allows for the installation of malware, manipulation of firewall rules, and interception of network traffic.

Affected Systems

The vulnerability impacts the following PAN-OS versions when a GlobalProtect gateway or portal has been configured:

• PAN-OS 10.2
• PAN-OS 11.0
• PAN-OS 11.1

Cloud firewalls, Panorama appliances, and Prisma Access are not affected by this vulnerability. Palo Alto Networks has provided a detailed list of affected versions and hotfix releases in its security advisory.

Exploitation Status

CVE-2024-3400 is being actively exploited in the wild. The threat actor UTA0218 was observed exploiting this vulnerability to compromise networks, establish persistence, and steal data. The ease of exploitation and the high level of access it grants make it a prime target for a wide range of threat actors beyond the initial state-sponsored group. CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to patch by a specified deadline.

Impact Assessment

A successful exploit of CVE-2024-3400 has a catastrophic business impact. With root access to a core network security appliance, an attacker can:

• Bypass all security controls: The firewall itself becomes a malicious insider, rendering network segmentation and access policies ineffective.
• Exfiltrate sensitive data: Attackers can intercept and steal all traffic passing through the firewall, including credentials, intellectual property, and customer data.
• Pivot to internal networks: The compromised firewall serves as a perfect beachhead for launching further attacks against internal servers and workstations.
• Cause widespread disruption: Attackers can manipulate firewall rules to cause denial-of-service conditions, disrupting critical business operations.
• Deploy ransomware: The compromised device can be used to deploy ransomware across the entire network.

IOCs — Directly from Articles

No specific Indicators of Compromise (IOCs) such as IP addresses or file hashes were provided in the source articles.

Cyber Observables — Hunting Hints

Security teams may want to hunt for the following patterns which could indicate related activity:

Detection & Response

• Log Analysis: Scrutinize PAN-OS logs for unusual activity related to the GlobalProtect service. Look for unexpected system commands in the command logs. Use D3FEND's Network Traffic Analysis on traffic to and from the firewall's management plane.
• Threat Hunting: Proactively hunt for signs of compromise on your PAN-OS devices. Check for unrecognized files in common temporary directories (/tmp, /var/tmp), unexpected cron jobs, and unauthorized user accounts.
• EDR/NDR: Ensure your Endpoint Detection and Response (EDR) and Network Detection and Response (NDR) solutions are monitoring traffic to and from the firewall. Look for anomalies such as connections to known malicious IPs or unusual data transfers.
• Palo Alto Networks Threat Prevention: Customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 95187.

Mitigation

1. Patch Immediately: The primary mitigation is to apply the security updates provided by Palo Alto Networks. This is the only way to fully remediate the vulnerability. Refer to D3FEND's Software Update technique.
2. Threat Prevention Signature: If patching is not immediately possible, enable Threat ID 95187 on your Palo Alto Networks firewall with a Threat Prevention subscription. This provides a layer of protection but is not a substitute for patching.
3. Restrict Access: As a general best practice, restrict access to the GlobalProtect gateway to only trusted IP addresses. This can reduce the attack surface but will not protect against a determined attacker.
4. Disable GlobalProtect: If the GlobalProtect gateway is not essential, disabling it entirely will remove the attack vector. This was an initial mitigation step suggested by Palo Alto Networks.