Skip to content
New Report: Get your copy of The 2024 State of the Internet Report! | Download Today
Advisory

April 12, 2024: Palo Alto Networks GlobalProtect PAN-OS command injection vulnerability CVE-2024-3400

Update April 15, 2024:

Palo Alto Networks has started rolling out hotfixes to address this vulnerability. The hotfixes available so far are PAN-OS versions 10.2.9-h1, 11.0.4-h1, and 11.1.2-h3,  with additional releases planned for newer PAN-OS versions.

Moreover, researchers have discovered successful exploitation of this vulnerability going back to March 26th, 2024 to deploy this backdoor.

Global Impact (as of April 15, 2024)

*Note* – the following asset count is based on identifying Palo Alto Networks GlobalProtect products generally and does not account for specific version numbers affected specified in the vulnerability. Please see below as to identification methodology.
• 143,000+ GlobalProtect publicly-facing devices worldwide

Top affected countries:
1. US
2. Germany
3. India
4. UK
5. Australia


Summary

Censys is aware that on April 12, 2024, Palo Alto Networks (PAN) published CVE-2024-3400 regarding a command injection vulnerability in the GlobalProtect feature of their PAN-OS software. PAN stated that they are “aware of a limited number of attacks that leverage the exploitation of this vulnerability” and CISA has added it to its Known Exploited Vulnerability (KEV) database.
Asset Description
GlobalProtect is a remote access tool that has been described as a VPN and firewall by the vendor.
PAN-OS is Palo Alto Network’s operating system designation that is deployed within its products.

Impact

Potential Consequences of Successful Exploitation
According to PAN, the vulnerability “may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.” This level of compromise would essentially allow an attacker full takeover of a victim’s asset. This could prove especially devastating for an organization, since GlobalProtect is relied upon as a secure remote access tool which means that a successful attacker may be able to shut out/down access to validated users and/or grant access or backdoors to associated nefarious hosts.
Additionally, PAN products are typically enterprise-level tools; while largely depending on an owner’s implementation and network segmentation, an effective compromise could provide an attacker lateral movement capabilities.
Given that this critical-level of vulnerability is also currently being exploited in the wild, Censys recommends customers with PAN-OS-dependent products like GlobalProtect, give remediation for these assets top priority.

Affected Assets

According to PAN, this issue affects only assets using PAN-OS 10.2 (before 0.2.9-h1), PAN-OS 11.0 (before 11.0.4-h1), and PAN-OS 11.1 (before 11.1.2-h3).
Censys’ Rapid Response Team was able to identify Palo Alto Networks GlobalProtect devices. Due to the nature of the product, specific version information was unavailable and those who may be affected will need to verify version information after locating GlobalProtect assets using provided Censys queries.

Censys ASM Query for Exposed Assets.
This query will identify PAN GlobalProtect assets exposed to the public internet. Determining specific versions that may correspond with versions affected by the vulnerability listed above will require owners to investigate their assets, once identified.

Censys Search Query
services.software: (vendor: “Palo Alto Networks” and product: “GlobalProtect”)
This query will identify PAN GlobalProtect assets exposed to the public internet. Determining specific versions that may correspond with versions affected by the vulnerability listed above will require owners to investigate their assets, once identified.

Recommendations for remediation

from Palo Alto Networks state that fixes for affected versions “are in development and are expected to be released by April 14, 2024.” Update April 15, 2024: hotfixes 10.2.9-h1, 11.0.4-h1, and 11.1.2-h3 are now available. Fixes for newer versions are in progress. Specific, proprietary remediation options are available here under “Workarounds and Mitigations.” While not explicitly said by PAN, Censys recommends applying said fixes as soon as they are published.

If you need assistance in positively identifying these assets, please let us know.

Attack Surface Management Solutions
Learn more