According to reports from the Shadowserver Foundation, approximately 6,000 internet-accessible Palo Alto Networks firewalls are potentially vulnerable to a recently exploited security flaw, identified as CVE-2024-3400.
Palo Alto Networks disclosed this critical vulnerability on April 12 and began deploying patches shortly afterward. The issue, which has attracted attention from state-sponsored threat actors, has experienced an increase in exploitation following the publication of proof-of-concept (PoC) code.
CVE-2024-3400, with a CVSS score of 10/10, involves a command injection vulnerability within the GlobalProtect feature of PAN-OS, the operating system powering Palo Alto Networks' appliances. The flaw allows for arbitrary code execution with root privileges under specific conditions, even without authentication.
Initially, Palo Alto Networks suggested mitigating the risk by disabling device telemetry, but subsequent advisories have revised this recommendation as the vulnerability can be exploited regardless of telemetry settings.
In a detailed blog post on April 19, Palo Alto Networks explained that CVE-2024-3400 stemmed from two separate flaws within PAN-OS, which, when combined, allowed for unauthenticated remote shell command execution. The first flaw enabled an attacker to craft a shell command within a specially formatted session ID, resulting in the creation of an empty file with a command embedded in its filename. The second flaw involved the system trusting this file and executing the embedded command with elevated privileges.
Palo Alto Networks has since issued fixes to address these vulnerabilities by enhancing session ID validation and rewriting the code responsible for command injection.
Despite the availability of fixes and mitigation measures, the Shadowserver Foundation observed over 22,000 potentially vulnerable Palo Alto Networks GlobalProtect instances connected to the internet. As of April 21, approximately 6,000 instances remain susceptible to exploitation.
Palo Alto Networks urges affected users to apply the necessary patches and mitigation steps promptly to safeguard against potential attacks leveraging CVE-2024-3400. Additionally, deploying Threat Prevention signatures released on April 11 can help block suspicious patterns associated with this vulnerability.
This incident underscores the importance of timely software updates and proactive security measures to protect critical infrastructure from evolving cyber threats.