PAN-OS Command Injection Vulnerability (CVE-2024-3400)

A critical OS Command Injection Vulnerability (CVE-2024-3400) was identified in GlobalProtect Gateway of Palo Alto Networks PAN-OS versions 10.2, 11.0, and 11.1, distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.

Vulnerability

Command Injection Vulnerability (CVE-2024-3400)

Severity Level

Critical (Score: 10, maximum)

Affected Products

PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls with the configurations for both GlobalProtect gateway or GlobalProtect portal (or both) and device telemetry enabled.
- PAN-OS 11.1: < 11.1.2-h3
- PAN-OS 11.0: < 11.0.4-h1
- PAN-OS 10.2: < 10.2.9-h1

(Cloud NGFW, Panorama appliances, Prisma Access and all other versions of PAN-OS are not impacted by this vulnerability.)

You can:

- Verify whether the device has a GlobalProtect gateway configured by checking for entries in the firewall web interface (Network > GlobalProtect > Gateways).
- Verify whether device telemetry is enabled by checking the firewall web interface (Device > Setup > Telemetry).

Remediation

Fixes are released in PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3 and all later PAN-OS versions. Affected systems should be patched ASAP to eliminate the potential threat of exploitation.
Review and disable Device Telemetry if it is active but unnecessary.
Please see Disable Device Telemetry (paloaltonetworks.com) for details on how to disable device telemetry.
Ensure vulnerability protection has been applied to the GlobalProtect interface to prevent exploitation of this issue on the device.
Please see Applying Vulnerability Protection to GlobalProtect Interfaces (Palo Alto Networks) for more information.
Devices with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 95187 (available in Applications and Threats content version 8833-8682 and later).

Reference

Enquiry

For enquiries, please contact infosec@cuhk.edu.hk. Thanks a lot.

Published on: 13 Apr 2024

Last update on: 15 Apr 2024

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.