CVE-2024-3400: What is the Palo Alto GlobalProtect vulnerability?

TL;DR

• The serious vulnerability (CVE-2024-3400) affects a number of Palo Alto GlobalProtect devices which utilize device analytics. Active exploitation of this vulnerability has been witnessed by a number of organizations.
• You should review all GlobalProtect devices which have either the gateway or portal enabled, and apply all patches as Palo Alto makes them available.

What is the Palo Alto GlobalProtect vulnerability (CVE-2024-3400)?

On the 12th of April Volexity, in coordination with Palo Alto released information about a serious vulnerability (CVE-2024-3400) which has been exploited in the wild.

The Palo Alto GlobalProtect vulnerability allows an unauthenticated remote attacker to gain control over the device.

Early exploitation attempts of this vulnerability were identified towards the end of March 2024, leading to the first identified successful exploitation on the 10th of April 2024.

The attack takes advantage of a flaw within the device analytics of GlobalProtect's portal and gateway, whereby the attacker can write a file to the device logging folders that contains malicious code within the name. When this file is processed by the GlobalProtect application, the code within the filename is then executed, allowing the attacker to run arbitrary commands on the system.

Details regarding the exploitation of this vulnerability have been released by Watchtowr which includes a proof of concept to reliably detect vulnerable instances of GlobalProtect. The proof of concept showcased relies upon writing a file that will be ingested by the logging processes which ultimately leads to code execution for the attacker. The file write portion of the attack is a separate vulnerability from the code execution (CVE-2024-3400), which was attributed to the Golang package "gorilla/sessions". However, this has been rebutted by the user FiloSottile; instead it seems that Palo Alto deployed their own similar code which is vulnerable to the file write issue.

Why are these devices targeted so heavily?

These types of devices that sit on the perimeter of a network are a common target for attackers as they sit within a privileged position, bridging the private local network with the untrusted internet.

As such, several vulnerabilities have affected this class of device recently, for example the much talked about series of vulnerabilities in Ivanti products, and a number of vulnerabilities affecting FortiOS devices.

What systems are at risk?

The vulnerability affects versions 10.2, 11.0 and 11.1 firewalls which have been configured with either GlobalProtect gateway or portal (or both) and have device telemetry enabled. The specific versions which are affected are as follows:

• PAN-OS 11.1 - < 11.1.2-h3
• PAN-OS 11.0 - < 11.0.4-h1
• PAN-OS 10.2 - < 10.2.7-h8, < 10.2.8-h3, < 10.2.9-h1

What do I need to do about CVE-2024-3400 and how can Intruder help?

Identify all GlobalProtect edge devices - Intruder's Attack Surface view can help with this.

Apply the latest patches that are available for the device that you have, and monitor the Palo Alto advisory page to see when the further planned patches have been released.

Further to the guidance, Volexity have also released a number of indicators of compromise and YARA rules to help with the monitoring of this vulnerability. Florian Roth has also released a number of alternative YARA rules.

Current public proof of concepts rely upon modifying the HTTP cookie to write a file to disk. We recommend implementing enhanced monitoring of HTTP requests for abnormal cookies which contain a path, common forms of directory traversal payloads (e.g. ../), backticks (`), or the shell internal field separator ({IFS}).

Additional reading and research

• Volexity's CVE-2024-3400 disclosure
• Palo Alto CVE-2024-3400 research
• Palo Alto Advisory
• Technical research by Watchtowr
• Technical research by Rapid7

Changelog

19th April 2024 - Added link to YARA rules by Florian Roth

18th April 2024 - Updates to the document, adding information regarding the second file write vulnerability

16th April 2024 - Blog post published

‍Get started with a free trial of Intruder to see how it can help you stay protected against critical vulnerabilities.