Critical Command Injection Vulnerability Found in Palo Alto Networks GlobalProtect

PUBLISHED:
16 April 2024

Critical Command Injection in Palo Alto Networks GlobalProtect

A critical vulnerability has been identified in Palo Alto Networks PAN-OS, specifically affecting the GlobalProtect gateways and portals. Designated as CVE-2024-3400, this command injection flaw enables unauthenticated attackers to execute arbitrary code with root privileges. The vulnerability, holding a CVSS severity score of 10.0, is actively being exploited, as confirmed by Palo Alto Networks.

Affected Versions

The vulnerability impacts the following versions of PAN-OS, configured with either GlobalProtect gateway or portal (or both), and device telemetry enabled:

• PAN-OS 10.2
• PAN-OS 11.0
• PAN-OS 11.1

Mitigation

• PAN-OS 10.2: Update to 10.2.9-h1
• PAN-OS 11.0: Update to 11.0.4-h1
• PAN-OS 11.1: Update to 11.1.2-h3

TechCERT strongly encourages the application of these updates immediately.

More Information

• Palo Alto Networks Security Advisory: CVE-2024-3400 PAN-OS: OS Command Injection Vulnerability in GlobalProtect – https://security.paloaltonetworks.com/CVE-2024-3400
• Threat Brief on Operation MidnightEclipse: Detailing post-exploitation activity related to CVE-2024-3400, available at Unit 42 – Palo Alto Networks – https://unit42.paloaltonetworks.com/cve-2024-3400/