CVE-2024-3400: Palo Alto Networks PAN-OS < v11.1.2 – Unauthorised Execution of Arbitrary Code (RCE) via Command Injection Vulnerability in GlobalProtect Feature

A command injection vulnerability exists in the GlobalProtect feature of Palo Alto Networks PAN-OS software with the configurations for both GlobalProtect gateway and device telemetry enabled. The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Background and context

Palo Alto Networks, Inc. is an American multinational cybersecurity company with headquarters in Santa Clara, California. The core product is a platform that includes advanced firewalls and cloud-based offerings that extend those firewalls to cover other aspects of security. PAN‑OS is the software that runs all Palo Alto Networks next-generation firewalls. By leveraging the key technologies that are built into PAN‑OS natively – App‑ID, Content‑ID, Device-ID, and User‑ID – you can have complete visibility and control of the applications in use across all users and devices in all locations all the time.

 

Vulnerability summary

A command injection vulnerability exists in the GlobalProtect feature of Palo Alto Networks PAN-OS software with the configurations for both GlobalProtect gateway and device telemetry enabled. The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. This could allow attackers to execute unexpected, dangerous commands directly on the operating system. This weakness can lead to a vulnerability in environments in which the attacker does not have direct access to the operating system, such as in web applications. Alternately, if the weakness occurs in a privileged program, it could allow the attacker to specify commands that normally would not be accessible, or to call alternate commands with privileges that the attacker does not have. The problem is exacerbated if the compromised process does not follow the principle of least privilege, because the attacker-controlled commands may run with special system privileges that increases the amount of damage.

 

Affected versions

  • PAN-OS 10.2 prior to release 10.2.9-h1
  • PAN-OS 11.0 prior to release 11.0.4-h1
  • PAN-OS 11.1 prior to release 11.1.2-h3

 

(Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability. All other versions of PAN-OS are also not impacted.)

 

Impact if exploited

Successful exploit may enable an unauthenticated attacker to execute arbitrary code with root (superuser) privileges on the firewall.

NOTE: This vulnerability has been reported by the CISA (America’s Cyber Defense Agency) to be known to be currently actively exploited in the wild as of 2014-04-13. More information about the vulnerability’s exploitation in the wild can be found in the Unit 42 threat brief listed in the References section. Prioritisation should be given to remediation in any impacted environment

 

Official Fix & Remediation Guidance

  • Users of affected devices should enable Threat Prevention Threat ID 95187 if that is available, otherwise, disable device telemetry until patches are available from the vendor, per vendor instructions.
  • Fixes for PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 are in development and are expected to be released by April 14, 2024. Once patches become available, customers are advised to upgrade to the latest version of the impacted product.

 

NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.

 

Temporary Mitigation & Workarounds

Customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 95187 (introduced in Applications and Threats content version 8833-8682).

You can verify whether you have a GlobalProtect gateway configured by checking for entries in your firewall web interface (Network > GlobalProtect > Gateways) and verify whether you have device telemetry enabled by checking your firewall web interface (Device > Setup > Telemetry). If the feature is enabled but you do not use, temporary mitigation can be performed by disabling the vulnerable functionality until a patch is released and can be applied. Once upgraded, device telemetry should be re-enabled on the device.

NOTE: Caution should always be taken in applying any temporary mitigations listed. Mitigations are only recommended in cases where patches to remediate the vulnerability are not available, or cannot safely be applied to a given environment immediately. A given mitigation may not in all cases be recommended officially by the application vendor. The viability of any given temporary mitigation measure may vary, depending on server platform and existing configuration. Mitigations listed may incompletely remediate any given vulnerability. Configuration changes to implement listed mitigations may impact/disrupt required functionality within a given customer application. Care should therefore be taken to carefully analyse any listed mitigations for appropriateness to a given environment. Customers are advised to test any configuration changes prior to their being introduced into a production environment.

 

Additional Information

As always, if you require any more information on this topic or want to see what unexpected vulnerabilities AppCheck can pick up in your website and applications then please contact us: info@localhost

For more information on this vulnerability or to search more vulnerabilities head to our Known Vulnerability Database: detections.appcheck-ng.com/cve-2024-3400

 

References

 

About AppCheck

AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).

Get started with Appcheck

No software to download or install.

Contact us or call us 0113 887 8380

About Appcheck

AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network and cloud infrastructure. AppCheck are authorized by te Common Vulnerabilities and Exposures (CVE) Program aas a CVE Numbering Authority (CNA)

No software to download or install.
Contact us or call us 0113 887 8380

Start your free trial

Your details
IP Addresses
URLs

Get in touch