Palo Alto Networks PAN-OS Command Injection Vulnerability
CVE-2024-3400

10CRITICAL

Key Information:

Vendor: Palo Alto Networks
Status: Pan-os; Cloud Ngfw; Prisma Access
Vendor: CVE Published:; 12 April 2024

Badges

🥇 Trended No. 1📈 Trended📈 Score: 173,000💰 Ransomware👾 Exploit Exists🟡 Public PoC🟣 EPSS 96%🦅 CISA Reported📰 News Worthy

What is CVE-2024-3400?

CVE-2024-3400 is a command injection vulnerability found in the GlobalProtect feature of Palo Alto Networks' PAN-OS software. This software is designed to protect enterprise networks through advanced firewall capabilities and secure remote access. The vulnerability allows unauthenticated attackers to execute arbitrary code with root privileges on affected firewalls, which can lead to severe security breaches within an organization. If exploited, this could enable attackers to gain control over vital network infrastructure, potentially compromising confidential data and disrupting operations.

Technical Details

The vulnerability stems from an arbitrary file creation issue within specific versions of PAN-OS. It is associated with feature configurations in the GlobalProtect module, which is leveraged for secure access to network resources. Attackers can exploit this flaw through specially crafted requests that manipulate system commands, ultimately allowing them to run arbitrary code at the highest privilege level. Palo Alto Networks has identified particular versions of PAN-OS that are susceptible, while ensuring that Cloud NGFW, Panorama appliances, and Prisma Access are unaffected.

Impact of the Vulnerability

Unauthorized Remote Code Execution: The most critical impact of CVE-2024-3400 is the potential for unauthorized remote code execution. Attackers could leverage this vulnerability to execute malicious code on affected firewalls, compromising the integrity of the network.
Escalation of Privileges: The nature of the vulnerability allows attackers not only to execute code but also to do so with root privileges. This level of access can facilitate further attacks within the network, enabling an escalation of privileges and broader exploitation of organizational resources.
Data Breach and Operational Disruption: Exploitation of this command injection vulnerability poses a significant risk of data breaches, as sensitive information could be manipulated or exfiltrated. Moreover, gaining control of critical network infrastructure can lead to operational disruptions, impacting business continuity and reputation.

CISA Reported

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.

The CISA's recommendation is: Apply mitigations per vendor instructions as they become available. Otherwise, users with vulnerable versions of affected devices should enable Threat Prevention IDs available from the vendor. See the vendor bulletin for more details and a patch release schedule.

Affected Version(s)

PAN-OS 10.2.0 < 10.2.9-h1

PAN-OS 11.0.0 < 11.0.4-h1

PAN-OS 11.1.0 < 11.1.2-h3

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2024-3400
Created by h4x0r-dz

CVE-2024-3400
Created by W01fh4cker

CVE-2024-3400
Created by ak1t4

News Articles

Darktrace

CVE-2024-3400

Post-Exploitation Activities on PAN-OS Devices: A Network-Based Analysis | Darktrace Blog

This blog investigates the network-based activity detected by Darktrace in compromises stemming from the exploitation of a vulnerability in Palo Alto Networks firewall devices, namely CVE-2024-3400.

1 month ago