A recent discovery in Palo Alto Networks’ PAN-OS has brought to light a critical vulnerability that demands immediate attention and action. Known as “CVE-2024-3400: Command Injection Vulnerability in GlobalProtect”, this vulnerability affects specific configurations of PAN-OS and allows an unauthenticated attacker to <execute arbitrary code with root privileges>. This blog post aims to provide an overview of the vulnerability, how to detect attempts of exploitation, and the best mitigation practices.

Understanding the Problem

CVE-2024-3400 is a severe command injection flaw in PAN-OS software versions 10.2, 11.0, and 11.1, specifically in firewalls configured with the GlobalProtect gateway or portal. The vulnerability has been assigned a Common Vulnerability Scoring System (CVSS) score of 10.0, indicating its critical nature. Notably, this vulnerability does not affect Cloud NGFW, Panorama appliances, or Prisma Access systems.

The criticality of CVE-2024-3400 stems from its ability to allow an attacker to gain complete control of the affected firewall. This level of access could enable an attacker to redirect traffic, harvest data, or even launch further attacks against other parts of the network.

Identifying Potential Exploits in System Logs

To determine whether an attack has been attempted on your device, system administrators should use the following command on the PAN-OS CLI:

grep pattern “failed to unmarshal session(.+.\/” mp-log gpsvc.log*

Analyzing the output is crucial:

• Normal Behavior: a typical log entry should look like failed to unmarshal session(01234567-89ab-cdef-1234-567890abcdef), where the session ID appears as a GUID
• Indicators of Exploitation: entries like failed to unmarshal session(../../some/path) suggest an exploitation attempt, as the session information deviates from expected formats, showing file system paths or embedded shell commands

Mitigation Strategies

Immediate action is required to protect against this vulnerability. Palo Alto Networks has issued recommendations for users with a Threat Prevention subscription:

1. Update Threat IDs: Ensure your systems are updated with Applications and Threats content version 8836-8695 or later, which includes Threat IDs 95187, 95189, and 95191 with action set to block (instead of the default action/alert). Apply vulnerability protection settings to the GlobalProtect interfaces on your device to prevent exploitation
2. Upgrade PAN-OS: this vulnerability is resolved in PAN-OS versions 10.2.9-h1, 11.0.4-h1, and 11.1.2-h3, as well as all subsequent versions of the software. By upgrading to these versions, customers will secure their devices against this critical vulnerability. Palo Alto Networks strongly recommends that customers promptly upgrade to a patched version of PAN-OS to ensure their devices are fully protected, even if workarounds and mitigations have already been applied

Note: previously, it was suggested in this advisory that disabling device telemetry could serve as a secondary form of mitigation. However, it has since been determined that disabling device telemetry is not an effective countermeasure. The vulnerability can be exploited regardless of whether device telemetry is enabled on PAN-OS firewalls.

—

The discovery of CVE-2024-3400 underscores the necessity of rigorous cybersecurity practices and the need for timely updates and monitoring. By understanding the nature of the vulnerability, checking for signs of exploitation, and applying recommended mitigations, organizations can shield themselves against potential threats posed by this and similar severe security flaws.