OS Command Injection Vulnerability in GlobalProtect

Advisory ID:
April 25, 2024


Security researchers identified zero-day exploitation of a vulnerability found within the GlobalProtect feature of Palo Alto Networks PAN-OS. The vulnerability allows the threat actor to remotely exploit the firewall device, create a reverse shell, and download further tools onto the device. The attacker focused on exporting configuration data from the devices, and then leveraging it as an entry point to move laterally within the victim organizations. Accordingly, users of Palo Alto products in Nigeria are advised to upgrade their products to the latest versions as recommended.

Description & Consequence

The complex vulnerability stems from a combination of two bugs in PAN-OS. In the first one, the GlobalProtect service did not sufficiently validate the session ID format before storing them. This enabled the attacker to store an empty file with the attacker's chosen filename. The second bug (trusting that the files were system-generated) used the filenames as part of a command. While neither bug provides for significant system damage, the combination allows unauthenticated remote shell command execution.

A highly sophisticated threat actor discovered that by uniquely combining the two bugs, they could perform a two-stage attack to achieve command execution on the vulnerable device. In the first stage, the attacker sends a carefully crafted shell command instead of a valid session ID to GlobalProtect. This results in creating an empty file on the system with an embedded command as its filename, as chosen by the attacker. Successful first stage of the attack does not necessarily mean that the attacker's command was executed. Rather, it simply means that the attacker created an empty file with a weird name that does not damage the firewall by itself. In the second stage, an unsuspecting scheduled system job that runs regularly uses the attacker-provided filename in a command. This results in the execution of the attacker-supplied command with elevated privileges. This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal (or both).

Successful exploitations of the vulnerabilities could result to:

  1. Unauthorised access to sensitive dat
  2. Security restriction bypass
  3. Data manipulations and exfiltration.
  4. System compromise.
  5. Privilege Escalation.
  6. Fraudulent activities.
  7. Reputational Damage.


Palo Alto have made the following recommendations to their customers:

  1. Immediately upgrade to a fixed version of PAN-OS to protect your devices even when workarounds and mitigations have been applied. This issue is fixed in PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and in all later PAN-OS versions. Customers who upgrade to these versions will be fully protected.
  2. Customers with a Threat Prevention subscription can block attacks for this vulnerability using Threat IDs 95187, 95189, and 95191 (available in Applications and Threats content version 8836-8695 and later).
  3. To apply the Threat IDs, customers must ensure that vulnerability protection has been applied to their GlobalProtect interface to prevent exploitation of this issue on their device. Please see https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/ta-p/340184 for more information.
  4. In earlier versions of this advisory, disabling device telemetry was listed as a secondary mitigation action. Disabling device telemetry is no longer an effective mitigation. Device telemetry does not need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability.
  5. To identify compromise on an impacted firewall device, monitor network traffic and activity emanating from Palo Alto Networks firewall devices. Look for signs of lateral movement internally from your Palo Alto Networks GlobalProtect firewall device that is not consistent with expected behaviour.
  6. As always, it should be noted that these mitigations and fixes will not remediate an existing compromise. Affected organizations should rapidly investigate their systems and networks for potential breaches and/or contact the ngCERT for technical assistance.



Related Articles