Rapid 7 - CVE-2024-3400: Critical Command Injection Vulnerability in Palo Alto Networks Firewalls

CVE-2024-3400: Critical Command Injection Vulnerability in Palo Alto Networks Firewalls

On Friday, April 12, Palo Alto Networks published an advisory on CVE-2024-3400, a CVSS 10 vulnerability in several versions of PAN-OS, the operating system that runs on the company’s firewalls. According to the vendor advisory, if conditions for exploitability are met, the vulnerability may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. The vulnerability is currently unpatched. Patches are expected to be available by Sunday, April 14, 2024.

Note: Palo Alto Networks customers are only vulnerable if they are using PAN-OS 10.2, PAN-OS 11.0, and/or PAN-OS 11.1 firewalls with the configurations for both GlobalProtect gateway and device telemetry enabled.

Palo Alto Networks’ advisory indicates that CVE-2024-3400 has been exploited in the wild in “a limited number of attacks.” The company has given the vulnerability their highest urgency rating.

Mitigation guidance

CVE-2024-3400 is unpatched as of Friday, April 12 and affects the following versions of PAN-OS when GlobalProtect gateway and device telemetry are enabled:

  • PAN-OS 11.1 (before 11.1.2-h3)
  • PAN-OS 11.0 (before 11.0.4-h1)
  • PAN-OS 10.2 (before 10.2.9-h1)

Palo Alto Networks’ Cloud NGFW and Prisma Access solutions are not affected; nor are earlier versions of PAN-OS (10.1, 10.0, 9.1, and 9.0). For additional information and the latest remediation guidance, please see Palo Alto Networks’ advisory.

The company has indicated that hotfix releases of PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, and PAN-OS 11.1.2-h3 will be released by April 14, along with hotfixes for “all later PAN-OS versions.”

Rapid7 recommends applying one of the below vendor-provided mitigations immediately:

  • Customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 95187 (introduced in Applications and Threats content version 8833-8682). In addition to enabling Threat ID 95187, customers should ensure vulnerability protection has been applied to their GlobalProtect interface to prevent exploitation of this issue on their device. More information here.
  • Those unable to apply the Threat Prevention mitigation can mitigate by temporarily disabling device telemetry until the device is upgraded to a fixed PAN-OS version. Once upgraded, device telemetry should be re-enabled on the device.

Rapid7 customers

Authenticated vulnerability checks are expected to be available to InsightVM and Nexpose customers in today’s (Friday, April 12) content release.

Per the vendor advisory, organizations that are running vulnerable firewalls and are concerned about potential exploitation in their environments can open a support case with Palo Alto Networks to determine if their device logs match known indicators of compromise (IoCs) for this vulnerability.



from Rapid7 Cybersecurity Blog https://blog.rapid7.com/2024/04/12/etr-cve-2024-3400-critical-command-injection-vulnerability-in-palo-alto-networks-firewalls-2/

Comments

Post a Comment

Popular posts from this blog

KnowBe4 - Scam Of The Week: "When Users Add Their Names to a Wall of Shame"

Image
Eric Howes , KnowBe4 Principal Lab Researcher, found out about another insidious bad guy trick: " If you work in IT there has undoubtedly come a dark moment when you wondered to yourself just who among your employee users would be gullible enough to click through a phishing email and potentially bring down your organization. from KnowBe4 Security Awareness Training Blog https://blog.knowbe4.com/when-users-add-their-names-to-a-wall-of-shame
Read more

Krebs - NY Charges First American Financial for Massive Data Leak

Image
In May 2019, KrebsOnSecurity broke the news that the website of mortgage title insurance giant First American Financial Corp. had exposed approximately 885 million records related to mortgage deals going back to 2003. On Wednesday, regulators in New York announced that First American was the target of their first ever cybersecurity enforcement action in connection with the incident, charges that could bring steep financial penalties. First American Financial Corp. Santa Ana, Calif.-based  First American [ NYSE:FAF ] is a leading provider of title insurance and settlement services to the real estate and mortgage industries. It employs some 18,000 people and brought in $6.2 billion in 2019 . As first reported here last year , First American’s website exposed 16 years worth of digitized mortgage title insurance records — including bank account numbers and statements, mortgage and tax records, Social Security numbers, wire transaction receipts, and drivers license images. The docum
Read more

SBS CyberSecurity - In The Wild 166

Image
  In The Wild - CyberSecurity Newsletter Welcome to the 166 th issue of In The Wild, SBS’ weekly CyberSecurity newsletter. The objective of this newsletter is to share threat intelligence, news articles that are relevant, new and updated guidance, and other information to help you make better cybersecurity decisions. Follow SBS CyberSecurity on Social Media for more articles, stories, news, and resources!           Below, you will find some of the latest-and-greatest news stories, articles, videos, and links from the past week in cybersecurity. Some of the following stories have been shared by consultants, others by the SBS Institute, and others yet simply been found in the far corners of the Internet. We hope you find the following stories relevant, interesting, and – most of all – useful. Enjoy. CyberRiskNOW Virtual Conference SBS Educational Resources This virtual conference is designed to provide interactive training on evo
Read more