A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.
Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.
Customers should continue to monitor this security advisory for the latest updates and product guidance.
CVE | 2024-3400 |
CVSS v3 (Base Score) | 10 |
Published Date | 2024-04-12 |
Impacted Product | PAN-OS 11.1 : < 11.1.0-h3, < 11.1.1-h1, < 11.1.2-h3 PAN-OS 11.0 : < 11.0.0-h3, < 11.0.1-h4, < 11.0.2-h4, < 11.0.3-h10, < 11.0.4-h1 PAN-OS 10.2 : < 10.2.0-h3, < 10.2.1-h2, < 10.2.2-h5, < 10.2.3-h13, < 10.2.4-h16, < 10.2.5-h6, < 10.2.6-h3, < 10.2.7-h8, < 10.2.8-h3, < 10.2.9-h1 |
Exploit availability | Yes https://github.com/ihebski/CVE-2024-3400 https://github.com/0x0d3ad/CVE-2024-3400 |
Solution:
We strongly advise customers to immediately upgrade to a fixed version of PAN-OS to protect their devices even when workarounds and mitigations have been applied.
This issue is fixed in PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and in all later PAN-OS versions. These fixes and those listed below completely prevent the initial remote command execution, stopping subsequent post-exploitation or persistence.
In addition, to provide the most seamless upgrade path for customers, additional hotfixes have been made available as a courtesy for other commonly deployed maintenance releases. PAN-OS 10.2:
- 10.2.9-h1 (Released 4/14/24)
- 10.2.8-h3 (Released 4/15/24)
- 10.2.7-h8 (Released 4/15/24)
- 10.2.6-h3 (Released 4/16/24)
- 10.2.5-h6 (Released 4/16/24)
- 10.2.4-h16 (Released 4/18/24)
- 10.2.3-h13 (Released 4/18/24)
- 10.2.2-h5 (Released 4/18/24)
- 10.2.1-h2 (Released 4/18/24)
- 10.2.0-h3 (Released 4/18/24)
PAN-OS 11.0:
- 11.0.4-h1 (Released 4/14/24)
- 11.0.4-h2 (Released 4/17/24)
- 11.0.3-h10 (Released 4/16/24)
- 11.0.2-h4 (Released 4/16/24)
- 11.0.1-h4 (Released 4/18/24)
- 11.0.0-h3 (Released 4/18/24)
PAN-OS 11.1:
- 11.1.2-h3 (Released 4/14/24)
- 11.1.1-h1 (Released 4/16/24)
- 11.1.0-h3 (Released 4/16/24)
Leave a Reply