Update April 15, 2024:
Global Impact (as of April 15, 2024)
*Note* – the following asset count is based on identifying Palo Alto Networks GlobalProtect products generally and does not account for specific version numbers affected specified in the vulnerability. Please see below as to identification methodology.
• 143,000+ GlobalProtect publicly-facing devices worldwide
Top affected countries:
1. US
2. Germany
3. India
4. UK
5. Australia
Summary
Censys is aware that on April 12, 2024, Palo Alto Networks (PAN) published CVE-2024-3400 regarding a command injection vulnerability in the GlobalProtect feature of their PAN-OS software. PAN stated that they are “aware of a limited number of attacks that leverage the exploitation of this vulnerability” and CISA has added it to its Known Exploited Vulnerability (KEV) database.
Asset Description
GlobalProtect is a remote access tool that has been described as a VPN and firewall by the vendor.
PAN-OS is Palo Alto Network’s operating system designation that is deployed within its products.
Impact
Potential Consequences of Successful Exploitation
According to PAN, the vulnerability “may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.” This level of compromise would essentially allow an attacker full takeover of a victim’s asset. This could prove especially devastating for an organization, since GlobalProtect is relied upon as a secure remote access tool which means that a successful attacker may be able to shut out/down access to validated users and/or grant access or backdoors to associated nefarious hosts.
Additionally, PAN products are typically enterprise-level tools; while largely depending on an owner’s implementation and network segmentation, an effective compromise could provide an attacker lateral movement capabilities.
Given that this critical-level of vulnerability is also currently being exploited in the wild, Censys recommends customers with PAN-OS-dependent products like GlobalProtect, give remediation for these assets top priority.
Affected Assets
According to PAN, this issue affects only assets using PAN-OS 10.2 (before 0.2.9-h1), PAN-OS 11.0 (before 11.0.4-h1), and PAN-OS 11.1 (before 11.1.2-h3).
Censys’ Rapid Response Team was able to identify Palo Alto Networks GlobalProtect devices. Due to the nature of the product, specific version information was unavailable and those who may be affected will need to verify version information after locating GlobalProtect assets using provided Censys queries.
Censys ASM Query for Exposed Assets.
This query will identify PAN GlobalProtect assets exposed to the public internet. Determining specific versions that may correspond with versions affected by the vulnerability listed above will require owners to investigate their assets, once identified.
Censys Search Query
services.software: (vendor: “Palo Alto Networks” and product: “GlobalProtect”)
This query will identify PAN GlobalProtect assets exposed to the public internet. Determining specific versions that may correspond with versions affected by the vulnerability listed above will require owners to investigate their assets, once identified.
Recommendations for remediation
from Palo Alto Networks state that fixes for affected versions “are in development and are expected to be released by April 14, 2024.” Update April 15, 2024: hotfixes 10.2.9-h1, 11.0.4-h1, and 11.1.2-h3 are now available. Fixes for newer versions are in progress. Specific, proprietary remediation options are available here under “Workarounds and Mitigations.” While not explicitly said by PAN, Censys recommends applying said fixes as soon as they are published.
If you need assistance in positively identifying these assets, please let us know.