Palo Alto Networks has disclosed a critical vulnerability, CVE-2024-3400, impacting its PAN-OS software’s GlobalProtect feature. This flaw enables unauthenticated attackers to execute arbitrary code with root privileges on affected firewalls. Review this Cybersecurity Threat Advisory to keep your organization secure and mitigate potential risks now.
What is the threat?
The threat involves a command injection vulnerability in the GlobalProtect feature of Palo Alto Networks’ PAN-OS software. This vulnerability affects specific versions of PAN-OS with distinct feature configurations, namely PAN-OS < 11.1.2-h3, PAN-OS < 11.0.4-h1, and PAN-OS < 10.2.9-h1. To exploit this vulnerability, an attacker must send a specially crafted request to the GlobalProtect interface of an affected firewall. Successful exploitation could allow the attacker to execute arbitrary code with root privileges on the firewall, potentially leading to a complete compromise of the system.
Why is it noteworthy?
Palo Alto Networks’ PAN-OS software is used by organizations globally. The exploit’s ability to grant attackers root access to firewalls highlights the potential for widespread damage, as compromised firewalls are critical components in network security. Additionally, the active exploitation of this vulnerability underscores the urgency for organizations to apply the forthcoming patches promptly. Given the recent trend of threat actors targeting networking and security appliances, this vulnerability adds to the growing concerns about the security of critical infrastructure and the need for robust cybersecurity practices.
What is the exposure or risk?
This vulnerability exposes Palo Alto Networks PAN-OS firewalls running specific versions and configurations to a high risk of exploitation. If leveraged, attackers can execute arbitrary code with root privileges, compromising the affected firewall completely. This compromise could lead to unauthorized access to sensitive information, disruption of network operations, and potential further compromise of the entire network. Organizations using PAN-OS versions prior to 11.1.2-h3, 11.0.4-h1, and 10.2.9-h1 with the relevant configurations for GlobalProtect gateway and device telemetry are particularly at risk. Immediate patching and mitigation are critical to prevent potential exploitation and safeguard network integrity.
What are the recommendations?
Barracuda MSP recommends the following actions to limit the impact of an attack:
- Install the upcoming fixes for PAN-OS versions 10.2, 11.0, and 11.1 as soon as they are released to mitigate the risk of exploitation.
- Enable Threat ID 95187 (for Threat Prevention subscribers) to protect against known attacks exploiting this vulnerability.
- Temporarily disable affected device telemetry if immediate patching is not possible, until the firewall is upgraded to a fixed PAN-OS version.
- Restrict access rights and permissions to minimize the impact of potential exploits.
- Continuously monitor network traffic and system logs for any signs of unauthorized access or exploitation attempts.
How can Barracuda XDR assist?
Barracuda XDR has conducted extensive threat hunting efforts pertaining to this vulnerability and has built detection logic to identify command injection behaviors. Further investigation around this vulnerability revealed that threat actors’ initial objectives after compromise were grabbing the domain backup DPAPI key and targeting AD credentials by obtaining the NTDS.DIT file. We have a rule in place to detect this type of activity as well. We have also added known indicators of compromise (IOCs) pertaining to this threat to our threat intel database to alert our customers if any have been found within their environment.
References
For more in-depth information about the recommendations, please visit the following links:
If you have any questions regarding this Cybersecurity Threat Advisory, please contact Barracuda XDR’s Security Operations Center.
