Executive Summary
CISA has issued a warning about a command injection vulnerability CVE-2024-3400 [CVSS score of 10] in Palo Alto’s firewalls. Attackers are currently exploiting the vulnerability. Palo Alto Networks has advised customers to apply temporary mitigations. Customers can also contact them to determine if their devices are compromised.
The company also noted that exploiting of this vulnerability could be set to automated.
This firewall vulnerability is an addition to the somewhat longer list of zero-day vulnerabilities for externally exposed assets, especially VPNs and firewalls.
In essence, these vulnerabilities present an ongoing challenge for legacy technology as the public facing threat they represent.
What Happened
CVE-2024-3400 represents a command injection vulnerability found in the GlobalProtect feature. It is part of Palo Alto Networks’ PAN-OS software. It potentially allows an unauthenticated attacker to execute arbitrary code with root privileges on affected firewalls.
This vulnerability impacts PAN-OS versions 11.1, 11.0, and 10.2 that are configured with both GlobalProtect gateway and device telemetry. Hotfixes intended to address this issue—11.1.2-h3, 11.0.4-h1, and 10.2.9-h1—are scheduled for release in the upcoming days. Some fixes are already online.
Palo Alto Networks’ Recommendations
Palo Alto Networks has provided guidance on how to check if your firewall has GlobalProtect gateway. Customers can review this entries under Network > GlobalProtect > Gateways in the firewall web interface. Similarly, you can check device under Device > Setup > Telemetry.
For those with a Threat Prevention subscription, blocking attacks exploiting this vulnerability is possible. Threat ID 95187 need enabling, which is available in Applications and Threats content version 8833-8682. Additionally, there is a recommendation to apply a vulnerability protection security profile to the GlobalProtect interface.
In cases where these measures are not an option, one can temporarily disable device telemetry. That action can mitigate the Palo Alto firewall vulnerability’s impact.
Customers can also assess whether their devices are on the compromised list by opening a case in the Customer Support Portal (CSP) and uploading a technical support file (TSF) to check for known indicators of compromise (IoC) associated with this vulnerability.
Implications
This trend underscores a broader issue of legacy technology: the outdated technology-driven architecture that these solutions rely on, which makes them appealing targets for cybercriminals. VPNs, first appeared in 1996, and traditional firewalls, which date back even earlier, cannot withstand the complex cyberattacks we see today. One of the most recent examples is certainly Ivanti, with its numerous exploited vulnerabilities.
The inherent risks associated with these technologies include:
- External Exposure: The old adage “if it’s reachable, it’s breachable” holds true, as these systems are accessible from the outside.
- Flawed Architecture: Once compromised, these technologies can serve as gateways for attackers to move laterally within a network, potentially leading to data theft and widespread compromise.
Closing Comments
The core issue with VPNs and firewalls lies in their role as public-facing interfaces to the external world. This setup offers sophisticated threat actors a gateway to potentially infiltrate your organization, often exploiting zero-day vulnerabilities. Considering the high value of a successful exploit, there is a fair expectation that VPNs and firewalls will remain attractive targets for cybercriminals.