We advise users with Palo Alto Networks firewalls installed, particularly those with PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 software configured with GlobalProtect gateway or GlobalProtect portal (or both) and device telemetry enabled, to immediately install the hotfixes that have been deployed for their specific software versions.
Details about the hotfixes and their availability per PAN-OS version can be found here: https://security.paloaltonetworks.com/CVE-2024-3400.
Palo Alto Networks has disclosed that a critical flaw has been discovered, impacting PAN-OS software used in its GlobalProtect gateways. Threat intelligence and incident response company Volexity has been credited with discovering and reporting the bug.
Tracked as CVE-2024-3400, the critical flaw has been noted to be actively exploited in the wild and has a CVSS score of 10.0, indicating maximum severity.
In an advisory released last April 12, Palo Alto Networks stated:
"A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall."
“The issue is applicable only to firewalls that have the configurations for both GlobalProtect gateway (Network > GlobalProtect > Gateways) and device telemetry (Device > Setup > Telemetry) enabled.”
Meanwhile, users with Palo Alto Networks’ Cloud NGFW, Panorama appliances, and Prisma Access services are not impacted by this vulnerability, according to the company.
In addition to the hotfixes being deployed, Palo Alto Networks has recommended that users with a Palo Alto Networks Threat Prevention subscription enable Threat ID 95187 (available in Applications and Threats content version 8833-8682 and later) which can block attacks utilizing this vulnerability.
If unable to apply the aforementioned Threat prevention-based mitigation, users can temporarily disable device telemetry until the device is upgraded to a fixed PAN-OS version. Once upgraded, device telemetry should be re-enabled on the device.
Furthermore, if the firewalls are managed by Panorama, ensure that device telemetry is disabled in relevant templates (Panorama > Templates).