A Critical Command Injection Vulnerability in PAN-OS
CVE-2024-3400
CVE-2024-3400 is a critical command injection vulnerability identified in the GlobalProtect feature of Palo Alto Networks' PAN-OS software. This vulnerability allows unauthenticated attackers to execute arbitrary code with root privileges on affected firewalls, posing significant security risks to organizations relying on this technology. The vulnerability has been assigned a CVSS score of 10.0, indicating its critical severity.Vulnerability Description
The vulnerability arises from arbitrary file creation due to improper handling of user input in the GlobalProtect feature. Specifically, it allows attackers to inject commands via malformed session identifiers (SESSID) in HTTP POST requests. This exploitation can lead to unauthorized access and manipulation of the firewall's operating system.Affected Versions:- PAN-OS versions 10.2, 11.0, and 11.1 are specifically noted as vulnerable.
- Cloud NGFW, Panorama appliances, and Prisma Access are not affected by this vulnerability.
Exploit Mechanism
Attackers can exploit CVE-2024-3400 by sending specially crafted HTTP requests to the vulnerable GlobalProtect interface. The following example illustrates how an attacker might carry out an exploit:textPOST /ssl-vpn/hipreport.esp HTTP/1.1 Host: 127.0.0.1 Cookie: SESSID=/../../../var/appweb/sslvpndocs/global-protect/portal/images/poc.txt; Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 0
poc.txt) in a location where it can be executed with root privileges.Potential Impact
Once an attacker successfully exploits this vulnerability, they can:- Execute arbitrary commands on the firewall.
- Collect sensitive configuration data.
- Deploy malware payloads.
- Move laterally within the network.
Real-World Scenarios
- Targeted Attacks on Enterprises: In April 2024, reports indicated that threat actors were actively exploiting CVE-2024-3400 against various organizations, leading to unauthorized access and potential data breaches. Organizations using vulnerable PAN-OS versions were particularly at risk.
- Security Breach Example: A financial institution discovered unauthorized access after noticing unusual activity on their firewall logs. Upon investigation, it was revealed that attackers had exploited CVE-2024-3400 to gain root access and exfiltrate sensitive customer data.
Exploit Overview
- Widespread Exploitation: Deepwatch reported seeing widespread exploitation attempts of CVE-2024-3400, indicating significant interest from threat actors due to its critical severity score of 10.0. The vulnerability affects specific versions of PAN-OS with GlobalProtect enabled.
- Zero-Day Activity: Volexity identified zero-day exploitation starting on March 26, 2024, where attackers tested the vulnerability by placing zero-byte files on firewall devices to confirm exploitability. By April 10, successful exploitation was confirmed, leading to the establishment of reverse shells and the downloading of additional tools onto compromised devices.
- Backdoor Deployment: Attackers have attempted to deploy a custom Python backdoor named UPSTYLE on compromised firewalls. This backdoor allows for further command execution through specially crafted network requests13. The backdoor utilizes a unique mechanism for command execution by interacting with error logs and publicly accessible stylesheets.
- Lateral Movement: Once access is gained, attackers have been observed exfiltrating device configuration data and moving laterally within victim networks, potentially compromising additional systems and sensitive information.
Mitigation Recommendations
Given the active exploitation of CVE-2024-3400, organizations using affected PAN-OS versions should take immediate action:- Patch Immediately: Palo Alto Networks released hotfixes for vulnerable versions (11.1.2-h3, 11.0.4-h1, and 10.2.9-h1) on April 14, 2024. Organizations are strongly urged to apply these updates without delay.
- Monitor Traffic: Implement monitoring for unusual network traffic patterns that may indicate exploitation attempts or unauthorized access.
- Threat Prevention Measures: For organizations unable to update immediately, Palo Alto's Threat Prevention subscription can block attacks related to this vulnerability using specific Threat IDs (95187, 95189, and 95191)