Analysis
The Network and Information Systems (NIS) Directive in 2021
Source: Rapid7 - CVE-2024-3400
Rapid7’s analysis identified that this vulnerability is an exploit chain, consisting of two distinct vulnerabilities:
Analysis also found that when device telemetry is enabled, a device certificate must be installed for device telemetry to successfully transmit telemetry data back to Palo Alto Networks. This transmission of data functionality is where the command injection vulnerability lies. During testing to date, the command injection vulnerability could not be triggered without a valid device certificate installed. Transmission of telemetry data only occurs once an hour, per the vendor documentation.
The current vulnerability lies with insecure handling of a SESSID cookie string enabling file creation and command injection in the context of a Linux shell in the GlobalProtect web server.
What can be inferred from Rapid7’s analysis is that although the arbitrary file creation vulnerability was reasonably easy to identify, finding a way to meaningfully exploit that advantage with command injection will have involved significant research and development, probably by someone with access to a PaloAlto GlobalProtect product.
This Rapid7 analysis is publicly available - and replicates the methods used by malware creators to reverse engineer patches to identify how unpatched systems can be exploited. We may see a surge in exploitation attempts - or development of adjacent vulnerabilities and exploits inspired by this analysis.
Patches are available from the vendor and should be applied urgently. If you are unable to apply patches, apply one of the vendor-supplied mitigations on an emergency basis. Please see the vendor advisory for further information.
A command injection vulnerability CVE-2024-3400 in the GlobalProtect feature of PaloAlto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.
PaloAlto have listed vulnerable versions of the product and advised patches and mitigations.
The vulnerability has a CVSSv4.0 Base Score: 10 (Critical)
Exploitation has been observed from 27th March: Some instances may have already been compromised. Customers are advised to open a case in the Palo Alto Customer Support Portal (CSP) and upload a technical support file (TSF) to determine if their device logs match known indicators of compromise (IoC) for this vulnerability.
On April 10, 2024, Volexity identified zero-day exploitation of a vulnerability found within the GlobalProtect feature of PaloAlto Networks PAN-OS.
The threat actor, which Volexity tracks under the alias UTA0218, was able to remotely exploit the firewall device, create a reverse shell, and download further tools onto the device.
As Volexity broadened its investigation, it discovered successful exploitation at multiple other customers and organisations dating back to March 26, 2024. Those attempts appear to be the threat actor testing the vulnerability by placing zero-byte files on firewall devices to validate exploitability. On April 10, 2024, UTA0218 was observed exploiting firewall devices to successfully deploy malicious payloads. The attacker focused on exporting configuration data from the devices, and then leveraging it as an entry point to move laterally within the victim organisations.
A timeline associated with the discovery and subsequent activities can be found in Volexity’s full threat research description here.
The threat is applicable to any organisations that make use of the GlobalProtect VPN feature of PAN-OS, which includes US federal agencies as well as both blue chip enterprises and smaller businesses globally. The number of potentially vulnerable devices ranges from 40K (Shodan) to 133K (Censys).
PaloAlto’s advisory clarifies the status of products in scope: This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal (or both) with device telemetry enabled.
It is important to understand the extent to which your supply chain is affected by this threat, particularly the potential impact from third parties that may use the PaloAlto GlobalProtect gateways or portals. Threat actors may have already exploited these gateways and gained access to underlying supplier systems for data exfiltration or destruction.
There are immediate actions you should take to protect yourself from this threat.
If you are a PaloAlto customer with GlobalProtect gateways or portals in your environment:
If you are a Risk Ledger customer:
This is an evolving situation. You can keep up to date with the latest information on this threat by following PaloAlto’s advisory.
Sign up to our monthly newsletter to receive exclusive research and analyses by our experts, the latest case studies from our clients as well as guides, explainers and more to turn your supply chain risk management programme into a resounding success story.
