How to Fix CVE-2024-3400 - A Critical Security Command Injection Vulnerability in PAN-OS?

Palo Alto Networks, a leading network security company, recently released an advisory about a critical severity command injection vulnerability in its operating system, PAN-OS. The flaw, assigned the CVE ID CVE-2024-3400, has a maximum severity score of 10.0 on the CVSS scale.

The vulnerability stems from the GlobalProtect feature of Palo Alto Networks firewalls. It affects specific PAN-OS versions that have GlobalProtect gateway, GlobalProtect portal, or both configured. According to a report shared by Shadowserver, there were more than 22,000 vulnerable instances of Palo Alto firewalls with GlobalProtect exposed on the internet. This shows the amount of work required to fix the vulnerability. Successful exploitation of this vulnerability would allow an attacker to execute arbitrary commands with root privileges on the affected firewall. Considering its severity, it is highly recommended to fix the command injection vulnerability in PAN-OS at the earliest. In this blog post, we will explore how to fix CVE-2024-3400.

A Short Introduction about PAN-OS

PAN-OS is the proprietary operating system developed by Palo Alto Networks, specifically designed to power its range of security appliances. As a core component of the company's next-generation firewalls, PAN-OS is integral in providing advanced security features such as threat prevention, URL filtering, and application visibility and control. It uses a single-pass architecture and application-specific integrated circuits to deliver high performance.

What is CVE-2024-3400?

CVE-2024-3400 is a critical command injection vulnerability in the GlobalProtect feature of PAN-OS. The vulnerability details are as follows:

The vulnerability stems from a combination of two bugs in PAN-OS. The first bug allows an attacker to store an empty file with an attacker-chosen filename by not properly validating the session ID format. The second bug uses the attacker-provided filename as part of a command, leading to command injection. While neither bug is critical on its own, the combination of the two allows for unauthenticated remote shell command execution.

Technical Details of CVE-2024-3400

The exploitation of CVE-2024-3400 involves a sophisticated two-stage attack that combines two vulnerabilities to achieve command execution on the targeted device, as detailed in the Palo Alto Networks blog post.

In the first stage, the attacker sends a malicious request containing a specially crafted shell command to the GlobalProtect service instead of a valid session ID. Due to insufficient validation of the session ID format, the GlobalProtect service stores this request as an empty file on the system, using the attacker-supplied command as the filename.

The second stage exploits a vulnerability in a regularly scheduled system job, which uses the attacker-provided filename from stage one as part of a command. As a result, the attacker's command is executed with elevated privileges, potentially granting control over the device.

Successful execution of stage one does not guarantee the attacker's command has been executed; it merely creates a malicious filename on the system. For a complete compromise, the attacker's command must be designed to cause significant damage, such as exfiltrating sensitive data or downloading malware.

Products Affected by CVE-2024-20321

There are certain versions of Palo Alto firewalls configured with GlobalProtect gateway, GlobalProtect portal, or both is affected by he CVE-2024-3400 command injection vulnerability:

It is crucial to apply the necessary patches and updates to affected PAN-OS versions and follow the recommended best practices for securing Palo Alto Networks firewalls.

It's also worth nothing that the these products and versions are not impacted by CVE-2024-3400:

To check if your Palo Alto Networks firewall is affected by this vulnerability, verify the PAN-OS version and confirm if GlobalProtect gateway or portal (or both) are configured. You can check for the presence of GlobalProtect configurations by navigating to Network > GlobalProtect > Gateways or Network > GlobalProtect > Portals in the firewall's web interface.

How to Check if an Exploitation Attempt was Made on Your Palo Alto Firewall?

If your Firewall in connected to the internet, we suggest to check if your firewall has be attempted to exploit. You can do that by running the following command from the PAN-OS CLI:

grep pattern "failed to unmarshal session(.\+.\/" mp-log gpsvc.log*

For example, the following output suggests an attempted exploit:

failed to unmarshal session(../../some/path)

In contrast, the following output indicates normal behavior:

failed to unmarshal session(01234567-89ab-cdef-1234-567890abcdef)

How to Fix CVE-2024-3400?

To fix CVE-2024-3400 and protect your Palo Alto firewall from the command injection vulnerability, the most effective solution is to upgrade to a patched version of PAN-OS, such as 10.2.9-h1, 11.0.4-h1, 11.1.2-h3, or any later version, as mentioned in the Palo Alto Networks security advisory.

If an immediate upgrade is not feasible, consider applying the following mitigations.

Ensure to test the effectiveness of the applied fixes and mitigations to verify that your firewall is no longer vulnerable to CVE-2024-3400. Please visit the advisory for constant updates on this flaw.

We hope this post helps you know how to fix CVE-2024-3400 - a critical security command injection vulnerability in PAN-OS. Thanks for reading this post. Please share this post and help secure the digital world.Visit our website thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive updates like this.