CVE-2024-3400: Palo Alto Network OS Command Injection Vulnerability in GlobalProtect
Introduction
A recent zero-day command-injection vulnerability, identified as CVE-2024-3400, has been discovered in Palo Alto Networks PAN-OS. This vulnerability has been assigned the highest possible severity score of 10.0 and can be exploited by an unauthenticated user to execute arbitrary commands on the target system with root privileges.
The vulnerability was initially discovered and reported by Volexity. Following this, the Cybersecurity and Infrastructure Security Agency (CISA) included CVE-2024-3400 in its Known Exploited Vulnerability Catalog.
In this blog, we will discuss the exploitation activity related to this vulnerability, as observed by Fortinet FortiGuard Labs Threat Intelligences. Additionally, we will explore
a newly discovered Python-based backdoor and its unique interaction mechanism with the operator.
What is CVE-2024-3400?
On April 12, 2024, Palo Alto Networks issued a warning about a critical flaw impacting its PAN-OS software, utilized in GlobalProtect gateways, which is actively being exploited in the wild. Tracked as CVE-2024-3400, this issue carries a CVSS base score of 10.0, indicating its maximum “Critical” severity. The reported vulnerability is applicable only to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway and allows pre-authenticated remote code execution on the GlobalProtect VPN interface via a chained attack (directory traversal + command injection) in Palo Alto Networks firewalls. The vulnerability resides in the GlobalProtect feature of Palo Alto Networks PAN-OS software, affecting specific versions and feature configurations. It presents a command injection vulnerability that could potentially allow an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Although the Palo Alto Networks issued threat protection signatures, it took at least 2 weeks to impose a solution to the vulnerability.
FortiWeb Protection
FortiGuard Labs Threat Intelligence showcases the effort to protect other security vendors like Palo Alto Networks to strengthen network security. FortiGuard Labs Threat Intelligence promptly addresses critical vulnerabilities such as the CVE-2024-3400 to enhance cybersecurity posture and protect organizations from evolving threats in today's digital landscape. Fortinet FortiGuard's threat intelligence network detected CVE-2024-3400 activity immediately following the release of the exploitation script. Concurrently, FortiGuard IPS swiftly responded to the threat by introducing an official signature to bolster protection against this vulnerability on the same day as Palo Alto Networks announced the vulnerability warning. Despite Fortinet being a competitor of Palo Alto, FortiWeb demonstrated proactive coverage by addressing the issue promptly.
Reference:
Zero-Day Alert: Critical Palo Alto Networks PAN-OS Flaw Under Active Attack (thehackernews.com)
https://fortiguard.fortinet.com/encyclopedia/ips/55555
https://www.fortiguard.com/outbreak-alert/pan-os-globalprotect-attack
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3400
