PAN-OS OS Command Injection Vulnerability Exploited in the Wild (CVE-2024-3400) (Operation MidnightEclipse)

Attackers are exploiting a command injection vulnerability in Palo Alto Networks PAN-OS software. Tracked as CVE-2024-3400, the vulnerability has been given a critical severity rating and a CVSS score of 10. Successful exploitation of the vulnerability may allow an attacker to execute arbitrary code with root privileges on the firewall. The vulnerability exists in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations.

This vulnerability does not impact cloud NGFW, Panorama appliances, and Prisma Access. All other versions of PAN-OS are also not affected.

The advisory states, “Palo Alto Networks is aware of a limited number of attacks that leverage the exploitation of this vulnerability.”

Acknowledging the active exploitation of CVE-2024-3400, CISA added it to its Known Exploited Vulnerabilities Catalog and requested users patch it before April 19, 2024.

PAN-OS is the operating system for Palo Alto Networks next-generation firewalls (NGFWs) and Panorama. It includes technologies like App-ID, Content-ID, Device-ID, and User-ID, which can collect data about firewall health and configuration and metrics related to threat prevention. PAN-OS also automatically reprograms firewalls with the latest intelligence, ensuring all traffic is free of known and unknown threats.

Indicators of Compromise

The following command can be used from the PAN-OS CLI to help identify if there was an attempted exploit activity on the device:

grep pattern "failed to unmarshal session(.\+.\/" mp-log gpsvc.log*

If the value between “session(” and “)” does not look like a GUID but instead contains a file system path or embedded shell commands, this could be related to an attempted exploitation of CVE-2024-3400, which will warrant further investigation to correlate with other indicators of compromise.

Grep output indicating an attempted exploit may look like the following entry:

failed to unmarshal session(../../some/path)

Grep output indicating normal behavior will typically appear like the following entry:

failed to unmarshal session(01234567-89ab-cdef-1234-567890abcdef)

Affected Versions

The vulnerability affects PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls with the configurations for both GlobalProtect gateway and device telemetry enabled.

Mitigation

Palo Alto has mentioned in the advisory that the vulnerability will be patched in hotfix releases of PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and in all later PAN-OS versions.

Hotfixes for other commonly deployed maintenance releases will also be made available to address this issue. Below is the list of ETAs regarding the upcoming hotfixes.

PAN-OS 10.2:

  • 10.2.9-h1 (Released 4/14/24)
  • 10.2.8-h3 (ETA: 4/15/24)
  • 10.2.7-h8 (ETA: 4/15/24)
  • 10.2.6-h3 (ETA: 4/15/24)
  • 10.2.5-h6 (ETA: 4/16/24)
  • 10.2.3-h13 (ETA: 4/17/24)
  • 10.2.1-h2 (ETA: 4/17/24)
  • 10.2.2-h5 (ETA: 4/18/24)
  • 10.2.0-h3 (ETA: 4/18/24)
  • 10.2.4-h16 (ETA: 4/19/24)

PAN-OS 11.0:

  • 11.0.4-h1 (Released 4/14/24)
  • 11.0.3-h10 (ETA: 4/15/24)
  • 11.0.2-h4 (ETA: 4/16/24)
  • 11.0.1-h4 (ETA: 4/17/24)
  • 11.0.0-h3 (ETA: 4/18/24)

PAN-OS 11.1:

  • 11.1.2-h3 (Released 4/14/24)
  • 11.1.1-h1 (ETA: 4/16/24)
  • 11.1.0-h3 (ETA: 4/17/24)

For more information, please refer to  Palo Alto Networks Security Advisory.

Workaround

Palo Alto suggests that Threat Prevention subscribers enable Threat ID 95187 (introduced in Applications and Threats content version 8833-8682) to block attacks on this vulnerability.

Customers must also ensure vulnerability protection has been applied to their GlobalProtect interface to prevent exploitation of the vulnerability on their devices.

EVALUATE Vendor-Suggested Mitigation with Policy Compliance (PC)

With Qualys Policy Compliance’s Out-of-the-Box Mitigation or Compensatory Controls, the risk of a vulnerability being exploited is reduced when the remediation (fix/patch) cannot be implemented immediately.

Qualys Policy Compliance team releases these exclusive controls based on Vendor-suggested Mitigation/Workaround.

Mitigation refers to a setting, common configuration, or general best-practice existing in a default state that could reduce the severity of the exploitation of a vulnerability.

A workaround is a method, sometimes used temporarily, for achieving a task or goal when the usual or planned method isn’t working. Information technology often uses a workaround to overcome hardware, programming, or communication problems. Once a problem is fixed, a workaround is usually abandoned.

The following Qualys Policy Compliance Control IDs (CIDs), and System Defined Controls (SDC)  have been published to support vendor-introduced workaround checks:

Policy Compliance Control IDs (CIDs):

  • 22230 Status of the ‘Telemetry’ settings configured on the device

Qualys Detection

Qualys customers can scan their devices with QIDs 731378, 731460, and 731456 to detect vulnerable assets.

Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.

References
https://unit42.paloaltonetworks.com/cve-2024-3400/
https://security.paloaltonetworks.com/CVE-2024-3400

Leave a Reply

Your email address will not be published. Required fields are marked *