CVE-2024-3400: PAN-OS: OS Command Injection Vulnerability in GlobalProtect
First published: Fri Apr 12 2024(Updated: )
A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.
Credit: psirt@paloaltonetworks.com Kr0ff
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Palo Alto Networks PAN-OS | ||
| Paloaltonetworks Pan-os | =10.2.0 | |
| Paloaltonetworks Pan-os | =10.2.0-h1 | |
| Paloaltonetworks Pan-os | =10.2.0-h2 | |
| Paloaltonetworks Pan-os | =10.2.1 | |
| Paloaltonetworks Pan-os | =10.2.1-h1 | |
| Paloaltonetworks Pan-os | =10.2.2 | |
| Paloaltonetworks Pan-os | =10.2.2-h1 | |
| Paloaltonetworks Pan-os | =10.2.2-h2 | |
| Paloaltonetworks Pan-os | =10.2.2-h4 | |
| Paloaltonetworks Pan-os | =10.2.3 | |
| Paloaltonetworks Pan-os | =10.2.3-h11 | |
| Paloaltonetworks Pan-os | =10.2.3-h12 | |
| Paloaltonetworks Pan-os | =10.2.3-h2 | |
| Paloaltonetworks Pan-os | =10.2.3-h4 | |
| Paloaltonetworks Pan-os | =10.2.3-h9 | |
| Paloaltonetworks Pan-os | =10.2.4 | |
| Paloaltonetworks Pan-os | =10.2.4-h10 | |
| Paloaltonetworks Pan-os | =10.2.4-h2 | |
| Paloaltonetworks Pan-os | =10.2.4-h3 | |
| Paloaltonetworks Pan-os | =10.2.4-h4 | |
| Paloaltonetworks Pan-os | =10.2.5 | |
| Paloaltonetworks Pan-os | =10.2.5-h1 | |
| Paloaltonetworks Pan-os | =10.2.5-h4 | |
| Paloaltonetworks Pan-os | =10.2.6 | |
| Paloaltonetworks Pan-os | =10.2.6-h1 | |
| Paloaltonetworks Pan-os | =10.2.7 | |
| Paloaltonetworks Pan-os | =10.2.7-h1 | |
| Paloaltonetworks Pan-os | =10.2.7-h3 | |
| Paloaltonetworks Pan-os | =10.2.7-h6 | |
| Paloaltonetworks Pan-os | =10.2.9 | |
| Paloaltonetworks Pan-os | =11.0.0 | |
| Paloaltonetworks Pan-os | =11.0.0-h1 | |
| Paloaltonetworks Pan-os | =11.0.0-h2 | |
| Paloaltonetworks Pan-os | =11.0.1 | |
| Paloaltonetworks Pan-os | =11.0.1-h2 | |
| Paloaltonetworks Pan-os | =11.0.1-h3 | |
| Paloaltonetworks Pan-os | =11.0.2 | |
| Paloaltonetworks Pan-os | =11.0.2-h1 | |
| Paloaltonetworks Pan-os | =11.0.2-h2 | |
| Paloaltonetworks Pan-os | =11.0.2-h3 | |
| Paloaltonetworks Pan-os | =11.0.3 | |
| Paloaltonetworks Pan-os | =11.0.3-h1 | |
| Paloaltonetworks Pan-os | =11.0.3-h3 | |
| Paloaltonetworks Pan-os | =11.0.3-h5 | |
| Paloaltonetworks Pan-os | =11.0.4 | |
| Paloaltonetworks Pan-os | =11.1.0 | |
| Paloaltonetworks Pan-os | =11.1.0-h1 | |
| Paloaltonetworks Pan-os | =11.1.0-h2 | |
| Paloaltonetworks Pan-os | =11.1.1 | |
| Paloaltonetworks Pan-os | =11.1.2 | |
| Paloaltonetworks Pan-os | =11.1.2-h1 |
Remedy
Apply mitigations per vendor instructions as they become available. Otherwise, users with vulnerable versions of affected devices should enable Threat Prevention IDs available from the vendor. See the vendor bulletin for more details and a patch release schedule.
Remedy
We strongly advise customers to immediately upgrade to a fixed version of PAN-OS to protect their devices even when workarounds and mitigations have been applied. This issue is fixed in PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and in all later PAN-OS versions. Customers who upgrade to these versions will be fully protected.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.bleepingcomputer.com/news/security/palo-alto-networks-warns-of-pan-os-firewall-zero-day-used-in-attacks/
- https://www.theregister.com/2024/04/12/palo_alto_pan_flaw/
- https://www.bleepingcomputer.com/news/security/palo-alto-networks-zero-day-exploited-since-march-to-backdoor-firewalls/
- https://www.bleepingcomputer.com/news/security/palo-alto-networks-fixes-zero-day-exploited-to-backdoor-firewalls/
- https://www.bleepingcomputer.com/news/security/exploit-released-for-palo-alto-pan-os-bug-used-in-attacks-patch-now/
- https://www.theregister.com/2024/04/17/researchers_exploit_code_for/
- https://security.paloaltonetworks.com/CVE-2024-3400
- https://www.bleepingcomputer.com/news/security/22-500-palo-alto-firewalls-possibly-vulnerable-to-ongoing-attacks/
- https://unit42.paloaltonetworks.com/cve-2024-3400/
- https://www.paloaltonetworks.com/blog/2024/04/more-on-the-pan-os-cve/
- https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/
- https://www.exploit-db.com/exploits/51996
- agent/type
- collector/bleeping-computer
- source/BleepingComputer
- alias/CVE-2024-3400
- alias/CVE-2024-34000
- agent/first-publish-date
- collector/the-register
- source/The Register
- agent/severity
- agent/softwarecombine
- exploited/true
- collector/cisa-known-exploited
- source/CISA
- agent/software-canonical-lookup
- agent/title
- agent/last-modified-date
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/weakness
- agent/description
- collector/exploitdb-recent
- source/ExploitDB
- agent/references
- agent/author
- agent/tags
- agent/event
- collector/epss-latest
- source/FIRST
- agent/epss
- collector/nvd-api
- source/NVD
- vendor/palo alto networks
- canonical/palo alto networks pan-os
- vendor/paloaltonetworks
- canonical/paloaltonetworks pan-os
- version/paloaltonetworks pan-os/10.2.0
- version/paloaltonetworks pan-os/10.2.0-h1
- version/paloaltonetworks pan-os/10.2.0-h2
- version/paloaltonetworks pan-os/10.2.1
- version/paloaltonetworks pan-os/10.2.1-h1
- version/paloaltonetworks pan-os/10.2.2
- version/paloaltonetworks pan-os/10.2.2-h1
- version/paloaltonetworks pan-os/10.2.2-h2
- version/paloaltonetworks pan-os/10.2.2-h4
- version/paloaltonetworks pan-os/10.2.3
- version/paloaltonetworks pan-os/10.2.3-h11
- version/paloaltonetworks pan-os/10.2.3-h12
- version/paloaltonetworks pan-os/10.2.3-h2
- version/paloaltonetworks pan-os/10.2.3-h4
- version/paloaltonetworks pan-os/10.2.3-h9
- version/paloaltonetworks pan-os/10.2.4
- version/paloaltonetworks pan-os/10.2.4-h10
- version/paloaltonetworks pan-os/10.2.4-h2
- version/paloaltonetworks pan-os/10.2.4-h3
- version/paloaltonetworks pan-os/10.2.4-h4
- version/paloaltonetworks pan-os/10.2.5
- version/paloaltonetworks pan-os/10.2.5-h1
- version/paloaltonetworks pan-os/10.2.5-h4
- version/paloaltonetworks pan-os/10.2.6
- version/paloaltonetworks pan-os/10.2.6-h1
- version/paloaltonetworks pan-os/10.2.7
- version/paloaltonetworks pan-os/10.2.7-h1
- version/paloaltonetworks pan-os/10.2.7-h3
- version/paloaltonetworks pan-os/10.2.7-h6
- version/paloaltonetworks pan-os/10.2.9
- version/paloaltonetworks pan-os/11.0.0
- version/paloaltonetworks pan-os/11.0.0-h1
- version/paloaltonetworks pan-os/11.0.0-h2
- version/paloaltonetworks pan-os/11.0.1
- version/paloaltonetworks pan-os/11.0.1-h2
- version/paloaltonetworks pan-os/11.0.1-h3
- version/paloaltonetworks pan-os/11.0.2
- version/paloaltonetworks pan-os/11.0.2-h1
- version/paloaltonetworks pan-os/11.0.2-h2
- version/paloaltonetworks pan-os/11.0.2-h3
- version/paloaltonetworks pan-os/11.0.3
- version/paloaltonetworks pan-os/11.0.3-h1
- version/paloaltonetworks pan-os/11.0.3-h3
- version/paloaltonetworks pan-os/11.0.3-h5
- version/paloaltonetworks pan-os/11.0.4
- version/paloaltonetworks pan-os/11.1.0
- version/paloaltonetworks pan-os/11.1.0-h1
- version/paloaltonetworks pan-os/11.1.0-h2
- version/paloaltonetworks pan-os/11.1.1
- version/paloaltonetworks pan-os/11.1.2
- version/paloaltonetworks pan-os/11.1.2-h1