On April 14, 2024, Palo Alto Networks (PAN) released hotfixes to address the maximum severity (CVSS: 10) vulnerability, CVE-2024-3400, affecting the GlobalProtect Feature of PAN-OS. An unauthenticated remote threat actor can exploit this vulnerability to execute arbitrary code with root privileges on the firewall.
Volexity identified CVE-2024-3400 as a zero-day vulnerability and found that the threat actor UTA0218 was implanting a custom Python backdoor on firewall devices. This allowed the threat actor to download additional tools to compromised devices to gain deeper access into victims’ networks which allowed the extraction of sensitive credentials and files.
Arctic Wolf assesses with high confidence that threat actors will target this vulnerability in the near term due to GlobalProtect’s extensive utilization in enabling remote access to corporate networks worldwide.
Note: This vulnerability only impacts PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal (or both) and device telemetry enabled. Furthermore, Cloud NGFW, Panorama appliances, and Prisma Access are not impacted.
Recommendation for CVE-2024-3400
Upgrade PAN-OS to Fixed PAN-OS Versions
Arctic Wolf strongly recommends upgrading the affected versions to their respective fixed versions.
| Product | Affected Version | Fixed Version |
| PAN-OS 11.1 | Versions prior to 11.1.2-h3 | 11.1.2-h3 |
| PAN-OS 11.0 | Versions prior to 11.0.4-h1 | 11.0.4-h1 |
| PAN-OS 10.2 | Versions prior to 10.2.9-h1 | 10.2.9-h1 |
Additionally, hotfixes for other commonly deployed maintenance releases not listed above will also be released this week in a staggered schedule.
Workaround (Optional)
Palo Alto Networks advises customers with a Threat Prevention subscription to safeguard against vulnerability-related attacks by activating Threat ID 95187. This measure was introduced in Applications and Threats content version 8833-8682. Furthermore, it’s essential to confirm that vulnerability protection has been implemented on your GlobalProtect interface to prevent any attempts to exploit the vulnerability on the device.
If unable to perform the workaround to mitigate the vulnerability, Palo Alto Networks recommends temporarily disabling device telemetry until the device is upgraded to a fixed PAN-OS version. Once upgraded, re-enable the device telemetry. If the firewalls are managed through Panorama, make sure to disable device telemetry in the appropriate templates (found in Panorama > Templates).
References
- Palo Alto Networks Security Advisory: CVE-2024-3400
- Volexity CVE-2024-3400 Exploitation Report
- Applying Vulnerability Protection on GlobalProtect Interfaces
- Disabling Device Telemetry
- Unit 42 Threat Brief (CVE-2024-3400)
See other important security bulletins from Arctic Wolf.
