Palo Alto Networks firewalls under attack, hotfixes incoming! (CVE-2024-3400)

UPDATE: April 17, 05:50 AM ET

New story:
Palo Alto firewalls: Public exploits, rising attacks, ineffective mitigation

UPDATE (April 12, 2024, 03:10 p.m. ET):

New story: CVE-2024-3400 exploited: Unit 42, Volexity share more details about the attacks

Attackers are exploiting a command injection vulnerability (CVE-2024-3400) affecting Palo Alto Networks’ firewalls, the company has warned, and urged customers to implement temporary mitigations and get in touch to check whether their devices have been compromised.

“Palo Alto Networks is aware of a limited number of attacks that leverage the exploitation of this vulnerability,” they said, and thanked Volexity researchers for flagging the issue.

Exploitation of the vulnerability can be automated.

About CVE-2024-3400

CVE-2024-3400 is a command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software and may allow an unauthenticated attacker to execute arbitrary code with root privileges on vulnerable firewalls.

The vulnerability affects PAN-OS versions 11.1, 11.0 and 10.2 that have configurations for both GlobalProtect gateway and device telemetry enabled. It will be fixed with hotfixes 11.1.2-h3, 11.0.4-h1, and 10.2.9-h1, which are scheduled to be released on April 14, 2023 (Sunday).

“You can verify whether you have a GlobalProtect gateway configured by checking for entries in your firewall web interface (Network > GlobalProtect > Gateways) and verify whether you have device telemetry enabled by checking your firewall web interface (Device > Setup > Telemetry),” Palo Alto Networks explained.

“Customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 95187 (introduced in Applications and Threats content version 8833-8682).”

They should also apply a vulnerability protection security profile to the GlobalProtect interface to prevent exploitation of this issue on their device.

If they can’t do any of that, they can mitigate the impact of this vulnerability by temporarily disabling device telemetry (and then re-enable it once the hotfix is applied).

“Customers are able to open a case in the Customer Support Portal (CSP) and upload a technical support file (TSF) to determine if their device logs match known indicators of compromise (IoC) for this vulnerability,” the company added.

UPDATE (April 12, 2024, 09:25 a.m. ET):

“We have seen limited exploitation but impact at multiple customers,” Volexity president Steven Adair commented on Twitter.

“We first detected this just two days ago. Impressive response from the Palo Alto Networks team, as they quickly worked with us and have now pushed a Threat Protection signature with a fix to come April 14.”

UPDATE (April 15, 2024, 04:10 a.m. ET):

Some PAN-OS fixes are now available and others will be published in the coming days.