Palo Alto Networks Releases Updated Remediation Guidance for CVE-2024-3400

Recently, Palo Alto Networks disclosed a critical severity command injection vulnerability, CVE-2024-3400, affecting its PAN-OS operating system. This vulnerability, which has a maximum severity score of 10.0 on the CVSS scale, stems from the GlobalProtect feature of Palo Alto Networks firewalls.

In response to this critical vulnerability, Palo Alto Networks has released updated remediation guidance to help customers secure their affected devices. The updated guidance provides a more comprehensive approach to addressing the vulnerability based on the level of exploitation attempts detected on the affected firewalls.

Updated Remediation Guidance for CVE-2024-3400

Palo Alto Networks has categorized the remediation guidance into four levels based on the severity of the exploitation attempts:

Level 0 Probe: Unsuccessful Exploitation Attempt

If an unsuccessful exploitation attempt is detected, Palo Alto Networks recommends updating the affected firewall to the latest PAN-OS hotfix. As a best practice to secure running configurations, customers should create a master key and elect AES-256-GCM encryption.

Level 1 Test: Vulnerability Being Tested on the Device

In cases where the vulnerability is being tested on the device, and a 0-byte file has been created and is resident on the firewall without any indication of unauthorized command execution, the recommended remediation is to update to the latest PAN-OS hotfix. Customers should also create a master key and elect AES-256-GCM encryption to secure running configurations.

Level 2 Potential Exfiltration: File Copied to a Location Accessible via Web Request

If a file on the device has been copied to a location accessible via a web request, typically the running_config.xml file, Palo Alto Networks suggests updating to the latest PAN-OS hotfix and performing a Private Data Reset. This remediation eliminates the possibility of capturing forensic artifacts and mitigates the risk of potential misuse of device data.

Level 3 Interactive Access: Interactive Command Execution

In the case of interactive command execution, which may include shell-based backdoors, introduction of code, pulling files, or running commands, the recommended remediation is to update to the latest PAN-OS hotfix and perform a Factory Reset. This action is necessary due to evidence of more invasive threat actor activity.

To learn more about updated remediation guidance for CVE-2024-340, please visit the Palo Alto Networks Security Advisory.

Please share this post and help secure the digital world.Visit our website thesecmaster.com, and our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium, and Instagram and subscribe to receive updates like this.

You may also like these articles: