Palo Alto Networks Warns About Critical Zero-Day in PAN-OS

Written by

A critical zero-day vulnerability in Palo Alto Networks’ PAN-OS software, used in its GlobalProtect gateways, is being exploited in the wild, and no patches are available yet.

Palo Alto Networks issued an alert about the flaw on April 12, 2024, thanking cybersecurity firm Volexity for discovering it.

The vulnerability is a command injection vulnerability in the GlobalProtect feature of Palo Alto Networks’ PAN-OS software for specific PAN-OS versions.

The zero-day has been registered as CVE-2024-3400 and attributed the highest severity score (CVSS of 10.0).

“Distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall," Palo Alto said in the advisory.

Limited Active Exploitation

The versions concerned are the following:

  • PAN-OS < 11.1.2-h3
  • PAN-OS < 11.0.4-h1
  • PAN-OS < 10.2.9-h1

The company also said that the vulnerability can only be exploited with firewalls that have the configurations for both GlobalProtect gateway (Network > GlobalProtect > Gateways) and device telemetry (Device > Setup > Telemetry) enabled.

The firm is aware of a limited number of attacks that leverage the exploitation of this vulnerability.

Upcoming Fixes for CVE-2024-3400

Although there are no fixes available, Palo Alto issued some mitigation recommendations:

  • Apply a vulnerability protection security profile to the GlobalProtect interface to prevent exploitation
  • Customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 95187

The firm announced the flaw will be fixed on April 14 during a series of hotfixes for PAN-OS versions 11.1.2-h3, 11.0.4-h1, and 10.2.9-h1.

CVE 2024-3385, Another (Fixed) Flaw in PAN-OS

This advisory comes two days after another vulnerability was discovered in PAN-OS.

Registered as CVE 2024-3385, the high-severity flaw was spotted in a Palo Alto Networks PAN-OS software packet processing mechanism included in PA-5400 and PA-7000 Series firewalls. It enables a remote attacker to reboot hardware-based firewalls and can lead to a denial of service (DoS) attack.

This issue was fixed in PAN-OS 9.0.17-h4, PAN-OS 9.1.17, PAN-OS 10.1.12, PAN-OS 10.2.8, PAN-OS 11.0.3, and all later PAN-OS versions.

What’s hot on Infosecurity Magazine?