A critical zero-day vulnerability (CVE-2024-3400) in Palo Alto Networks’ PAN-OS firewalls has been actively exploited since at least April 10, 2024, allowing unauthenticated attackers to execute arbitrary code with root privileges. The flaw affects GlobalProtect gateways and portals in PAN-OS 10.2, 11.0, and 11.1, with a CVSS score of 10.0 (Critical). Threat actors tracked as UTA0218 have weaponized the vulnerability to deploy reverse shells, exfiltrate configuration data, and move laterally within networks[1][2].
Technical Analysis
The flaw is a command injection vulnerability resulting from improper neutralization of special elements in the GlobalProtect feature (CWE-77). Attackers exploit it by crafting malicious session IDs to traverse directories and inject commands via the device_telemetry/hour path[2][3]. This creates a file that, when processed hourly, executes the embedded command. Notably, device telemetry does not need to be enabled for exploitation[2].
Observed exploitation includes reverse shell deployment, credential harvesting, and lateral movement by threat actor UTA0218 (attributed by Volexity)[1]. Suspicious log entries in gpsvc.log (e.g., failed to unmarshal session(../../path)) serve as key indicators of compromise[2].
Affected Products and Mitigation
| PAN-OS Version | Fixed Releases |
|---|---|
| 10.2 | 10.2.9-h1 |
| 11.0 | 11.0.4-h1 |
| 11.1 | 11.1.2-h3 |
Full patch details are available in Palo Alto’s advisory[2].
Detection and Response
Organizations should prioritize log analysis for malformed session IDs using commands like:
grep "failed to unmarshal session(.\\+.\\/" mp-log gpsvc.log*Network detection should focus on outbound connections to attacker-controlled IPs and anomalous HTTP requests to /global-protect/login.esp[3].
Mitigation steps include:
- Immediate patching to fixed PAN-OS versions.
- Applying Threat Prevention signatures (IDs 95187, 95189, 95191).
- Collecting Tech Support Files (TSF) for forensic analysis[2].
Relevance to Security Teams
Blue teams should monitor GlobalProtect login anomalies and unexpected child processes (gpsvc). Red teams should note that post-exploitation techniques may persist through resets, though patches prevent initial RCE[2].
Conclusion
CVE-2024-3400 represents a severe threat due to its ease of exploitation and high privileges. Organizations must patch immediately or apply mitigations. Palo Alto’s rapid response underscores the importance of vendor collaboration in zero-day scenarios.
