Warning of Vulnerability in Palo Alto Networks Firewall

Update on 19 April 2024: Added affected versions and recommendations

The National Cyber Security Center (NCSC) warns of a critical security vulnerability with a CVSS score of 10.0 in Palo Alto devices.

Palo Alto has warned its customers that a critical flaw impacting PAN-OS software with GlobalProtect enabled is being actively exploited.

The vulnerability has been tracked as CVE-2024-3400 and has a CVSS score of 10.0, indicating maximum severity. The vulnerability allows an unauthenticated attacker to execute arbitrary code with root (administrator) privileges on vulnerable firewalls.

The vulnerability affects PAN-OS versions 11.1, 11.0, and 10.2, which have GlobalProtect feature enabled and also device telemetry enabled. The web administration interface actively encourages users to enable these features, and therefore, the NCSC anticipates a high rate of vulnerable devices. The vulnerability affects the following PAN-OS versions:

  • PAN-OS 11.1 < 11.1.0-h3, < 11.1.1-h1, < 11.1.2-h3
  • PAN-OS 11.0 < 11.0.0-h3, < 11.0.1-h4, < 11.0.2-h4, < 11.0.3-h10, < 11.0.4-h1
  • PAN-OS 10.2 < 10.2.0-h3, < 10.2.1-h2, < 10.2.2-h5, < 10.2.3-h13, < 10.2.4-h16, < 10.2.5-h6, < 10.2.6-h3, < 10.2.7-h8, < 10.2.8-h3, < 10.2.9-h1

The hotfixes are scheduled to be released on 14 April 2024 (Sunday).

Recommendations

  • Immediately update your vulnerable devices to the latest version (the hotfixes were released on 14 April 2024).
  • You can verify whether you have a GlobalProtect gateway configured by checking for entries in the firewall web interface (Network > GlobalProtect > Gateways) and verify whether you have device telemetry enabled by checking the firewall web interface (Device > Settings > Telemetry). Disable these features.
  • Customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 95187 (introduced in Applications and Threats content version 8833-8682). They should also apply a vulnerability protection security profile to the GlobalProtect interface to prevent exploitation of this issue on their device.
  • If they cannot do any of those steps, they can mitigate the impact of this vulnerability by temporarily disabling the device telemetry.
  • Once applied, the NCSC recommends changing passwords. In the event of a cybersecurity incident, report it to the NCSC at [email protected].

Sources

https://unit42.paloaltonetworks.com/cve-2024-3400/#post-133365-_ydqdbjg0dngh

https://security.paloaltonetworks.com/CVE-2024-3400

https://www.helpnetsecurity.com/2024/04/12/cve-2024-3400/

https://thehackernews.com/2024/04/zero-day-alert-critical-palo-alto.html

 


« Späť na zoznam