No recent events yet!
Risk: | high |
Damage: |
high |
Platform(s): |
PAN-OS |
Advisory ID: |
ngCERT-2024-0013 |
Version: |
N/A |
CVE: |
CVE-2024-3400 |
Published: |
April 25, 2024 |
Security researchers identified zero-day exploitation of a vulnerability found within the GlobalProtect feature of Palo Alto Networks PAN-OS. The vulnerability allows the threat actor to remotely exploit the firewall device, create a reverse shell, and download further tools onto the device. The attacker focused on exporting configuration data from the devices, and then leveraging it as an entry point to move laterally within the victim organizations. Accordingly, users of Palo Alto products in Nigeria are advised to upgrade their products to the latest versions as recommended.
The complex vulnerability stems from a combination of two bugs in PAN-OS. In the first one, the GlobalProtect service did not sufficiently validate the session ID format before storing them. This enabled the attacker to store an empty file with the attacker's chosen filename. The second bug (trusting that the files were system-generated) used the filenames as part of a command. While neither bug provides for significant system damage, the combination allows unauthenticated remote shell command execution.
A highly sophisticated threat actor discovered that by uniquely combining the two bugs, they could perform a two-stage attack to achieve command execution on the vulnerable device. In the first stage, the attacker sends a carefully crafted shell command instead of a valid session ID to GlobalProtect. This results in creating an empty file on the system with an embedded command as its filename, as chosen by the attacker. Successful first stage of the attack does not necessarily mean that the attacker's command was executed. Rather, it simply means that the attacker created an empty file with a weird name that does not damage the firewall by itself. In the second stage, an unsuspecting scheduled system job that runs regularly uses the attacker-provided filename in a command. This results in the execution of the attacker-supplied command with elevated privileges. This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal (or both).
Successful exploitations of the vulnerabilities could result to:
Palo Alto have made the following recommendations to their customers: