A critical zero-day vulnerability in Palo Alto Networks’ PAN-OS software. It is being used by attackers, but there are no patches to fix it yet. Palo Alto Networks issued an alert on April 12, 2024, thanking cybersecurity firm Volexity for discovering the flaw.
There is a command injection vulnerability in the GlobalProtect feature of Palo Alto Networks’ PAN-OS software for certain versions. The zero-day vulnerability is identified as CVE-2024-3400 and has been given the highest severity score of 10.0 (CVSS).
“Distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall,” Palo Alto said in the advisory.
Limited Active Exploitation:
The versions concerned are the following:
PAN-OS < 11.1.2-h3
PAN-OS < 11.0.4-h1
PAN-OS < 10.2.9-h1
The company also said that the vulnerability can only be exploited with firewalls that have the configurations for both GlobalProtect gateway (Network > GlobalProtect > Gateways) and device telemetry (Device > Setup > Telemetry) enabled.
The firm has confirmed a limited number of attacks using this vulnerability.
Upcoming Fixes for CVE-2024-3400:
Although there are no fixes available, Palo Alto issued some mitigation recommendations:
Apply a vulnerability protection security profile to the GlobalProtect interface to prevent exploitation
Customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 95187
The firm announced the flaw will be fixed on April 14 during a series of hotfixes for PAN-OS versions 11.1.2-h3, 11.0.4-h1, and 10.2.9-h1.
CVE 2024-3385, Another (Fixed) Flaw in PAN-OS:
This advisory comes two days after another vulnerability was discovered in PAN-OS. This flaw allows a remote attacker to reboot firewalls and can cause a denial of service (DoS) attack. This issue was fixed in PAN-OS 9.0.17-h4, PAN-OS 9.1.17, PAN-OS 10.1.12, PAN-OS 10.2.8, PAN-OS 11.0.3, and all later PAN-OS versions.