CVE-2024-3400: PAN-OS: Arbitrary File Creation Leads to OS Command Injection Vulnerability in GlobalProtect
First published: Fri Apr 12 2024(Updated: )
A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.
Credit: Kr0ff psirt@paloaltonetworks.com psirt@paloaltonetworks.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Palo Alto Networks PAN-OS | =10.2.0 | |
| Palo Alto Networks PAN-OS | =10.2.0-h1 | |
| Palo Alto Networks PAN-OS | =10.2.0-h2 | |
| Palo Alto Networks PAN-OS | =10.2.1 | |
| Palo Alto Networks PAN-OS | =10.2.1-h1 | |
| Palo Alto Networks PAN-OS | =10.2.2 | |
| Palo Alto Networks PAN-OS | =10.2.2-h1 | |
| Palo Alto Networks PAN-OS | =10.2.2-h2 | |
| Palo Alto Networks PAN-OS | =10.2.2-h4 | |
| Palo Alto Networks PAN-OS | =10.2.3 | |
| Palo Alto Networks PAN-OS | =10.2.3-h11 | |
| Palo Alto Networks PAN-OS | =10.2.3-h12 | |
| Palo Alto Networks PAN-OS | =10.2.3-h2 | |
| Palo Alto Networks PAN-OS | =10.2.3-h4 | |
| Palo Alto Networks PAN-OS | =10.2.3-h9 | |
| Palo Alto Networks PAN-OS | =10.2.4 | |
| Palo Alto Networks PAN-OS | =10.2.4-h10 | |
| Palo Alto Networks PAN-OS | =10.2.4-h2 | |
| Palo Alto Networks PAN-OS | =10.2.4-h3 | |
| Palo Alto Networks PAN-OS | =10.2.4-h4 | |
| Palo Alto Networks PAN-OS | =10.2.5 | |
| Palo Alto Networks PAN-OS | =10.2.5-h1 | |
| Palo Alto Networks PAN-OS | =10.2.5-h4 | |
| Palo Alto Networks PAN-OS | =10.2.6 | |
| Palo Alto Networks PAN-OS | =10.2.6-h1 | |
| Palo Alto Networks PAN-OS | =10.2.7 | |
| Palo Alto Networks PAN-OS | =10.2.7-h1 | |
| Palo Alto Networks PAN-OS | =10.2.7-h3 | |
| Palo Alto Networks PAN-OS | =10.2.7-h6 | |
| Palo Alto Networks PAN-OS | =10.2.8 | |
| Palo Alto Networks PAN-OS | =10.2.9 | |
| Palo Alto Networks PAN-OS | =11.0.0 | |
| Palo Alto Networks PAN-OS | =11.0.0-h1 | |
| Palo Alto Networks PAN-OS | =11.0.0-h2 | |
| Palo Alto Networks PAN-OS | =11.0.1 | |
| Palo Alto Networks PAN-OS | =11.0.1-h2 | |
| Palo Alto Networks PAN-OS | =11.0.1-h3 | |
| Palo Alto Networks PAN-OS | =11.0.2 | |
| Palo Alto Networks PAN-OS | =11.0.2-h1 | |
| Palo Alto Networks PAN-OS | =11.0.2-h2 | |
| Palo Alto Networks PAN-OS | =11.0.2-h3 | |
| Palo Alto Networks PAN-OS | =11.0.3 | |
| Palo Alto Networks PAN-OS | =11.0.3-h1 | |
| Palo Alto Networks PAN-OS | =11.0.3-h3 | |
| Palo Alto Networks PAN-OS | =11.0.3-h5 | |
| Palo Alto Networks PAN-OS | =11.0.4 | |
| Palo Alto Networks PAN-OS | =11.1.0 | |
| Palo Alto Networks PAN-OS | =11.1.0-h1 | |
| Palo Alto Networks PAN-OS | =11.1.0-h2 | |
| Palo Alto Networks PAN-OS | =11.1.1 | |
| Palo Alto Networks PAN-OS | =11.1.2 | |
| Palo Alto Networks PAN-OS | =11.1.2-h1 | |
| Palo Alto PAN-OS |
Remedy
Apply mitigations per vendor instructions as they become available. Otherwise, users with vulnerable versions of affected devices should enable Threat Prevention IDs available from the vendor. See the vendor bulletin for more details and a patch release schedule.
Remedy
We strongly advise customers to immediately upgrade to a fixed version of PAN-OS to protect their devices even when workarounds and mitigations have been applied. This issue is fixed in PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and in all later PAN-OS versions. Customers who upgrade to these versions will be fully protected.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.bleepingcomputer.com/news/security/palo-alto-networks-warns-of-pan-os-firewall-zero-day-used-in-attacks/
- https://www.theregister.com/2024/04/12/palo_alto_pan_flaw/
- https://www.bleepingcomputer.com/news/security/palo-alto-networks-zero-day-exploited-since-march-to-backdoor-firewalls/
- https://www.bleepingcomputer.com/news/security/palo-alto-networks-fixes-zero-day-exploited-to-backdoor-firewalls/
- https://www.bleepingcomputer.com/news/security/exploit-released-for-palo-alto-pan-os-bug-used-in-attacks-patch-now/
- https://www.theregister.com/2024/04/17/researchers_exploit_code_for/
- https://www.bleepingcomputer.com/news/security/22-500-palo-alto-firewalls-possibly-vulnerable-to-ongoing-attacks/
- https://www.exploit-db.com/exploits/51996
- https://www.bleepingcomputer.com/news/security/cisa-urges-devs-to-weed-out-os-command-injection-vulnerabilities/
- https://security.paloaltonetworks.com/CVE-2024-3400
- https://unit42.paloaltonetworks.com/cve-2024-3400/
- https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/
- https://www.paloaltonetworks.com/blog/2024/04/more-on-the-pan-os-cve/
- https://www.bleepingcomputer.com/news/security/iranian-hackers-work-with-ransomware-gangs-to-extort-breached-orgs/
- https://www.theregister.com/2024/08/28/iran_pioneer_kitten/
- https://nvd.nist.gov/vuln/detail/CVE-2024-3400
- https://www.bleepingcomputer.com/news/security/cisco-bug-lets-hackers-run-commands-as-root-on-uwrb-access-points/
- https://www.bleepingcomputer.com/news/security/over-2-000-palo-alto-firewalls-hacked-using-recently-patched-bugs/
- https://www.theregister.com/2024/12/03/ncsc_annual_review/
Frequently Asked Questions
What is the severity of CVE-2024-3400?
CVE-2024-3400 is classified as a critical vulnerability due to its potential to allow unauthenticated attackers to execute arbitrary code with root privileges.
How do I fix CVE-2024-3400?
To remediate CVE-2024-3400, upgrade your Palo Alto Networks PAN-OS software to the latest version that addresses this vulnerability.
Who is affected by CVE-2024-3400?
CVE-2024-3400 affects specific versions of Palo Alto Networks PAN-OS, including versions 10.2.x and 11.0.x.
What types of attacks can exploit CVE-2024-3400?
CVE-2024-3400 can be exploited for command injection attacks, potentially allowing remote code execution on affected systems.
Is there a workaround for CVE-2024-3400 until a fix is applied?
No specific workarounds have been published for CVE-2024-3400, so applying the recommended software updates is essential for security.
- agent/type
- collector/bleeping-computer
- source/BleepingComputer
- alias/CVE-2024-3400
- alias/CVE-2024-34000
- agent/first-publish-date
- collector/the-register
- source/The Register
- agent/severity
- agent/remedy
- agent/weakness
- agent/description
- collector/epss-latest
- source/FIRST
- agent/epss
- alias/CVE-2024-20399
- alias/CVE-2024-21887
- collector/mitre-cve
- source/MITRE
- alias/CVE-2024-24919
- alias/CVE-2019-19781
- alias/CVE-2023-3519
- alias/CVE-2022-1388
- agent/author
- alias/CVE-2024-20418
- alias/CVE-2024-0012
- alias/CVE-2024-9474
- alias/CVE-2024-5910
- agent/last-modified-date
- agent/title
- alias/CVE-2023-20198
- agent/references
- agent/event
- collector/exploitdb-recent
- source/ExploitDB
- anchor-exploit/CVE-2024-3400
- exploited/true
- agent/source
- agent/trending
- agent/exploited
- proof-of-concept/true
- collector/nvd-cve
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- collector/nvd-api
- agent/softwarecombine
- agent/tags
- collector/cisa-known-exploited
- source/CISA
- vendor/paloaltonetworks
- canonical/palo alto networks pan-os
- version/palo alto networks pan-os/10.2.0
- version/palo alto networks pan-os/10.2.0-h1
- version/palo alto networks pan-os/10.2.0-h2
- version/palo alto networks pan-os/10.2.1
- version/palo alto networks pan-os/10.2.1-h1
- version/palo alto networks pan-os/10.2.2
- version/palo alto networks pan-os/10.2.2-h1
- version/palo alto networks pan-os/10.2.2-h2
- version/palo alto networks pan-os/10.2.2-h4
- version/palo alto networks pan-os/10.2.3
- version/palo alto networks pan-os/10.2.3-h11
- version/palo alto networks pan-os/10.2.3-h12
- version/palo alto networks pan-os/10.2.3-h2
- version/palo alto networks pan-os/10.2.3-h4
- version/palo alto networks pan-os/10.2.3-h9
- version/palo alto networks pan-os/10.2.4
- version/palo alto networks pan-os/10.2.4-h10
- version/palo alto networks pan-os/10.2.4-h2
- version/palo alto networks pan-os/10.2.4-h3
- version/palo alto networks pan-os/10.2.4-h4
- version/palo alto networks pan-os/10.2.5
- version/palo alto networks pan-os/10.2.5-h1
- version/palo alto networks pan-os/10.2.5-h4
- version/palo alto networks pan-os/10.2.6
- version/palo alto networks pan-os/10.2.6-h1
- version/palo alto networks pan-os/10.2.7
- version/palo alto networks pan-os/10.2.7-h1
- version/palo alto networks pan-os/10.2.7-h3
- version/palo alto networks pan-os/10.2.7-h6
- version/palo alto networks pan-os/10.2.8
- version/palo alto networks pan-os/10.2.9
- version/palo alto networks pan-os/11.0.0
- version/palo alto networks pan-os/11.0.0-h1
- version/palo alto networks pan-os/11.0.0-h2
- version/palo alto networks pan-os/11.0.1
- version/palo alto networks pan-os/11.0.1-h2
- version/palo alto networks pan-os/11.0.1-h3
- version/palo alto networks pan-os/11.0.2
- version/palo alto networks pan-os/11.0.2-h1
- version/palo alto networks pan-os/11.0.2-h2
- version/palo alto networks pan-os/11.0.2-h3
- version/palo alto networks pan-os/11.0.3
- version/palo alto networks pan-os/11.0.3-h1
- version/palo alto networks pan-os/11.0.3-h3
- version/palo alto networks pan-os/11.0.3-h5
- version/palo alto networks pan-os/11.0.4
- version/palo alto networks pan-os/11.1.0
- version/palo alto networks pan-os/11.1.0-h1
- version/palo alto networks pan-os/11.1.0-h2
- version/palo alto networks pan-os/11.1.1
- version/palo alto networks pan-os/11.1.2
- version/palo alto networks pan-os/11.1.2-h1
- vendor/palo alto networks
- canonical/palo alto pan-os