NOTE, important update 17/4-24:
Temporarily disabling device telemetry has unfortunately proven insufficient.
Updated information (17/4 2024): This vulnerability in GlobalProtect, initially believed to be mitigated by disabling Device Telemetry in PAN-OS, was found insufficient to prevent attackers from exploiting it.
The only way to mitigate the vulnerability currently is to upgrade to a non-vulnerable PAN-OS version (See the section “Solution for the vulnerability” below).
Description of the vulnerability
A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.
Fixes for PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 are in development and are expected to be released by April 14, 2024. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability. All other versions of PAN-OS are also not impacted.
This is very serious, and we recommend upgrading PAN-OS to a patched version as soon as possible. See below.
Product status (2024-04-12)
| Versions | Affected | Unaffected |
|---|---|---|
| Cloud NGFW | None | All |
| PAN-OS 11.1 | < 11.1.2-h3 | >= 11.1.2-h3 (ETA: By 4/14) |
| PAN-OS 11.0 | < 11.0.4-h1 | >= 11.0.4-h1 (ETA: By 4/14) |
| PAN-OS 10.2 | < 10.2.9-h1 | >= 10.2.9-h1 (ETA: By 4/14) |
| PAN-OS 10.1 | None | All |
| PAN-OS 10.0 | None | All |
| PAN-OS 9.1 | None | All |
| PAN-OS 9.0 | None | All |
| Prisma Access | None | All |
Required Configuration for Exposed GlobalProtect Gateway
Temporarily disabling device telemetry has unfortunately proven insufficient.
New information (4/17): This issue only applies to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect Gateway or GlobalProtect Portal (or both enabled). Device telemetry does not need to be enabled for the PAN-OS firewalls to be vulnerable to attacks related to this vulnerability.
You can verify whether you have a GlobalProtect gateway configured by checking for entries in your firewall web interface (Network > GlobalProtect > Gateways) and verify whether you have device telemetry enabled by checking your firewall web interface (Device > Setup > Telemetry).
Severity: CRITICAL
CVSSv4.0 Base Score: 10 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:Y/R:U/V:C/RE:M/U:Red)
Exploitation Status:
Palo Alto Networks is aware of a limited number of attacks that leverage the exploitation of this vulnerability.
Weakness Type:
CWE-77 Improper Neutralization of Special Elements used in a Command (‘Command Injection’)
Solution for the Vulnerability
This issue is addressed in hotfix versions of PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, and PAN-OS 11.1.2-h3, and in all subsequent PAN-OS versions. The planned date for these hotfix releases is April 14, 2024. Hotfixes for other regular maintenance releases will also be made available to address this issue. See the details below for the estimated arrival time of the upcoming hotfixes.
PAN-OS 10.2:
- 10.2.9-h1 (Released 4/14/24) Available for patching.
- 10.2.8-h3 (Released: 4/16/24) Available for patching
- 10.2.7-h8 (Released: 4/16/24) Available for patching
- 10.2.6-h3 (Released: 4/17/24) Available for patching
- 10.2.5-h6 (Released: 4/17/24) Available for patching
- 10.2.3-h13 (ETA: 4/17/24)
- 10.2.1-h2 (ETA: 4/17/24)
- 10.2.2-h5 (ETA: 4/18/24)
- 10.2.0-h3 (ETA: 4/18/24)
- 10.2.4-h16 (ETA: 4/19/24)
PAN-OS 11.0:
- 11.0.4-h1 (Released 4/14/24) Available for patching
- 11.0.3-h10 (Released: 4/17/24) Available for patching
- 11.0.2-h4 (Released: 4/17/24) Available for patching
- 11.0.1-h4 (ETA: 4/17/24)
- 11.0.0-h3 (ETA: 4/18/24)
PAN-OS 11.1:
- 11.1.2-h3 (Released 4/14/24) Available for patching
- 11.1.1-h1 (Released: 4/17/24) Available for patching
- 11.1.0-h3 (Released: 4/17/24) Available for patching
Workarounds and Mitigations:
Recommended solution:
Customers with a subscription to Threat Prevention can block attacks for this vulnerability by enabling Threat ID 95187 (introduced in Applications and Threats content version 8833-8682).
This means that if you have automatic installation of dynamic updates, check that version 8833-8682 or later is installed, and that the Vulnerability Protection profile is enabled on the security rule for incoming GlobalProtect traffic.
If you only want to enable Threat ID 95187, you must ensure that the Vulnerability Protection profile with Threat ID 95187 has been applied to your GlobalProtect interface to prevent exploitation of this vulnerability.
Updates about this vulnerability can be found here
Have you been attacked?
Question:
Are there any checks I can run on my device to look for indicators of exploitation activity?
Answer:
The following command can be used from the PAN-OS CLI to identify indicators of exploit activity on the device:
grep pattern "failed to unmarshal session(.\+.\/)" mp-log gpsvc.log*.
Benign “failed to unmarshal session” error logs usually look like the following entry:
"message":"failed to unmarshal session(01234567-89ab-cdef-1234-567890abcdef)"
If the value between “session(” and “)” does not look like a GUID (the format shown above), but instead contains a file system path, this indicates the need for further investigation and the log entry may be related to a successful or unsuccessful exploitation of CVE-2024-3400.
Please contact us if you need help or have any questions.
