Palo Alto Networks has issued a warning regarding threat actors exploiting a critical OS command injection vulnerability to execute arbitrary code on their firewalls. The vulnerability tracked as CVE-2024-3400 and rated with a severity score of 10 out of 10, affects the GlobalProtect feature of PAN-OS, the operating system used in Palo Alto Networks appliances.
According to Palo Alto Networks, the vulnerability exists in specific PAN-OS versions (10.2, 11.0, and 11.1) and only under certain feature configurations involving the GlobalProtect gateway and device telemetry settings. The company assures that Panorama appliances, Cloud NGFW, and Prisma Access solutions remain unaffected.
The cybersecurity company is actively working on patches for this critical flaw, which are slated for release in PAN-OS versions 10.2.9-h1, 11.0.4-h1, and 11.1.2-h3 by the end of this week.
In the interim, Palo Alto Networks advises customers to verify whether a GlobalProtect gateway is configured by accessing Network > GlobalProtect > Gateways in the firewall's web interface. Customers should also check if device telemetry is enabled by navigating to Device > Setup > Telemetry.
Palo Alto Networks has acknowledged a limited number of attacks exploiting this vulnerability. Mitigations are recommended for customers with a Threat Prevention subscription, including applying vulnerability protection on the GlobalProtect interface and temporarily disabling device telemetry until the patches are applied.
The reporting of CVE-2024-3400 is credited to Volexity, a threat intelligence and incident response firm. Palo Alto Networks and Volexity have released additional details attributing the attacks to an undisclosed state-sponsored threat actor, who exploited the vulnerability to install backdoors on firewalls.