THREAT LEVEL - HIGH

17-04-2024

Injection vulnerability in the Palo Alto’s GlobalProtect SSLVPN implementation

Threat Level Description

IthacaLabs has maintained the Threat Level (High) adding a new observation:

An attack is highly likely. Addressing the broad nature of the threat in order to reach an acceptable risk level, requires additional and sustainable protective security measures combined with specific business and geographical vulnerabilities and judgments.

Description

We have observed that a new critical command injection vulnerability in the Palo Alto’s GlobalProtect SSLVPN implementation, has been identified.

A remote unauthenticated attacker, by exploiting this issue, could execute arbitrary code with root privileges on the firewall.

This vulnerability, tracked as CVE-2024-3400, is a command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software.

This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway and/or GlobalProtect portal.

Note that Proof of concepts for this vulnerability have been publicly disclosed by third parties

Also note that Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.

Affected Products

  • PAN-OS 11.1:     < 11.1.0-h3, < 11.1.1-h1, < 11.1.2-h3
  • PAN-OS 11.0:     < 11.0.2-h4, < 11.0.3-h10, < 11.0.4-h1
  • PAN-OS 10.2:     < 10.2.5-h6, < 10.2.6-h3, < 10.2.7-h8, < 10.2.8-h3, < 10.2.9-h1

Recommendation(s)

You should immediately proceed and upgrade to a fixed version of PAN-OS, even if workarounds and mitigations have been applied.

You can verify whether you have a GlobalProtect gateway or GlobalProtect portal configured by checking for entries in your firewall web interface (Network > GlobalProtect > Gateways or Network > GlobalProtect > Portals).

Recommended Mitigation (if you have not applied the fixed version of PAN-OS):
If you have a Threat Prevention subscription, you can block attacks for this vulnerability using Threat IDs 95187, 95189, and 95191 (available in Applications and Threats content version 8836-8695 and later).

To apply the Threat IDs, you must ensure that vulnerability protection has been applied to your GlobalProtect interface to prevent exploitation of this issue on your device: https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/ta-p/340184.

You should understand the importance of security updates, and the urgency with which they should be applied, no matter how large or small your organization is. It is very important to apply an efficient patch management solution and always have enabled an active event security logging and practice event monitoring. To protect the valuable assets of your business and be compliant with the relevant industry regulations requires a comprehensive approach to the management of risk, including Penetration Testing at least annually and upon significant changes.

References:

SIGN UP

Get the latest Threat Alerts in your inbox.

We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR). By completing this form, you consent to the collection and processing of your personal data for the purpose of processing your inquiry. Your data will be handled securely and will not be shared with third parties without your explicit consent. You have the right to access, rectify, or delete your personal data at any time by contacting us at [email protected]. For more information on how we handle your data, please refer to our Privacy Notice