Critical Palo Alto GlobalProtect Vulnerability Exploited (CVE-2024-3400)

    Published: 2024-04-13
    Last Updated: 2024-04-15 12:28:02 UTC
    by Johannes Ullrich (Version: 1)
    0 comment(s)

    On Friday, Palo Alto Networks released an advisory warning users of Palo Alto's Global Protect product of a vulnerability that has been exploited since March [1].

    Volexity discovered the vulnerability after one of its customers was compromised [2]. The vulnerability allows for arbitrary code execution. A GitHub repository claimed to include an exploit (it has been removed by now).  But the exploit may have been a fake and not the actual exploit. It appeared a bit too simplistic (hopefully). I had no chance to test it.

    Assume Compromise

    According to Volexity, exploit attempts for this vulnerability were observed as early as March 26th.

    Workarounds

    GlobalProtect is only vulnerable if telemetry is enabled. Telemetry is enabled by default, but as a "quick fix", you may want to disable telemetry. Palo Alto Threat Prevention subscribers can enable Threat ID 95187 to block the exploit.

    Patch

    A patch was made available late on April 14th. Consider expediting the patch, but some testing should be performed to mitigate the risk of a "rushed out" patch.

    [1] https://security.paloaltonetworks.com/CVE-2024-3400
    [2] https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400

    ---
    Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
    Twitter|

    0 comment(s)
    ISC Stormcast For Sunday, April 14th, 2024 https://isc.sans.edu/podcastdetail/8938

      Comments


      Diary Archives