UPDATE: Palo Alto Networks confirmed on Tuesday (4/16) that disabling device telemetry is no longer considered an effective mitigation. On Wednesday (4/17), the company released new threat signatures and shared a CLI command customers can used to identify indicators of exploit activity on the device. Please visit their page here to stay updated: https://security.paloaltonetworks.com/CVE-2024-3400
Palo Alto Networks also reiterated that firewalls with those specific PAN-OS versions are vulnerable if configured with GlobalProtect gateway or GlobalProtect portal (or both).
A command injection vulnerability has been discovered in the GlobalProtect feature within Palo Alto Networks PAN-OS software for specific versions that have distinct feature configurations that may enable a remote, unauthenticated attacker to execute arbitrary code with root privileges on the firewall.
These specific versions require configurations for GlobalProtect gateway and device telemetry enabled. This vulnerability has also been added to the Known Exploited Vulnerabilities Catalog, maintained by CISA, as there have been limited exploitations of CVE-2024-3400 in the wild.
A command injection vulnerability has been discovered in:
This vulnerability does not affect PAN-OS versions 10.1, 10.0, 9.1, and 9.0, Cloud NGFW, Panorama appliances, insert "or Prisma Access"or Prisma Access.
In the impacted versions listed above, firewalls are required to have configurations for both GlobalProtect gateway and device telemetry enabled. To verify if you have GlobalProtect gateway configured, check for entries in your firewall web interface (Network > GlobalProtect > Gateways). To verify if you have device telemetry enabled, check your firewall web interface (Device > Setup > Telemetry).
Palo Alto also noted this vulnerability has been seen in limited attacks in the wild but has not released the details of these attacks. At this time, there are no further technical details related to this vulnerability. A proof of concept (PoC) has not been observed publicly or in the underground at this time.
Per Palo Alto’s advisory on CVE-2024-3400, if a client is concerned that this vulnerability has compromised their devices, the client can open a support case with Palo Alto to determine if the devices’ logs match known IoCs for this vulnerability.
Trustwave is currently monitoring this situation and will update this post as needed.