The Dutch National Cyber Security Centre (NCSC) has recently observed active exploitation of a critical vulnerability in Palo Alto PAN-OS, known as CVE-2024-3400. This vulnerability allows attackers to execute arbitrary code with root privileges on affected systems. The NCSC advises users to urgently install the updates provided by Palo Alto to mitigate the risk[1].
TL;DR:
- CVE-2024-3400: A critical vulnerability in Palo Alto PAN-OS allows attackers to execute arbitrary code with root privileges.
- Active Exploitation: The Dutch National Cyber Security Centre (NCSC) has observed active exploitation of this vulnerability in the Netherlands.
- Mitigation: Palo Alto has released updates to address the vulnerability. The NCSC advises users to install these updates as soon as possible.
- Relevance: This vulnerability is particularly dangerous for systems using GlobalProtect Gateway and Device Telemetry functionalities.
Technical Details of CVE-2024-3400
The vulnerability CVE-2024-3400 is a command injection vulnerability present in Palo Alto Networks’ PAN-OS software. This vulnerability exists only in PAN-OS versions 10.2, 11.0, and 11.1, and only when both GlobalProtect Gateway and Device Telemetry functionalities are enabled[2].
Researchers have published a PoC demonstrating how attackers can exploit this vulnerability to execute code on affected systems[4].
Mitigation Measures and Updates
Palo Alto has released updates to address the vulnerability. Users are advised to take the following steps:
- Install the Updates: Ensure the latest updates for PAN-OS are installed. Updates are available for the following versions:
- PAN-OS 11.1: 11.1.2-h3, 11.1.1-h1, 11.1.0-h3
- PAN-OS 11.0: 11.0.4-h1, 11.0.3-h10, 11.0.2-h4
- PAN-OS 10.2: 10.2.9-h1, 10.2.8-h3, 10.2.7-h8, 10.2.6-h3, 10.2.5-h6[5].
- Enable Threat Prevention: Users with a Threat Prevention subscription can activate Threat ID 95187 to block attacks[6].
- Detect Exploitation: Palo Alto has described several methods to detect exploitation of the vulnerability. For example, users can run the following command in the PAN-OS CLI:
grep pattern "failed to unmarshal session(.\\+.\\/" mp-log gpsvc.log*If no GUID but a path reference is found, this indicates successful exploitation[7].
Relevance for Security Professionals
This vulnerability is particularly relevant for security professionals responsible for managing Palo Alto firewalls. It is crucial to install the updates as soon as possible and implement the recommended mitigation measures to minimize the risk of exploitation.
Tips for SOC Analysts
- Log Analysis: Check logs for suspicious activities, such as unusual access attempts to the GlobalProtect Gateway.
- Threat Hunting: Use the described XQL queries to check for indicators of exploitation, such as the domain
*.nhdata.s3-us-west-2.amazonaws.comin raw logs[8].
Conclusion
The vulnerability CVE-2024-3400 in Palo Alto PAN-OS poses a serious threat to systems using GlobalProtect Gateway and Device Telemetry functionalities. The NCSC has observed active exploitation of this vulnerability and advises users to install the available updates as soon as possible. Security professionals must remain vigilant and implement the recommended mitigation measures to minimize the risk of exploitation.
References
- “Active exploitation observed of vulnerability in Palo Alto PAN-OS”. NCSC. 19 April 2024.
- “Critical vulnerability discovered in Palo Alto PAN-OS”. Digital Trust Center. 22 April 2024.
- “Palo Alto Networks discovers critical flaw in its firewalls”. Computable.nl. 12 April 2024.
- “UPDATE 2: Pinewood Security Bulletin – Palo Alto PAN-OS: OS Command Injection”. Pinewood. 17 April 2024.
- “Palo Alto Networks patches actively exploited vulnerabilities in PAN-OS”. Security.NL. 18 November 2024.
- “NCSC Advisories”. NCSC. 17 April 2024.
- “Hackers exploit two zero-days in Palo Alto firewalls”. Techzine.nl. 22 November 2024.
- “Palo Alto Networks fears broader exploitation of critical firewall vulnerability”. PC-HelpForum. 23 November 2024.
