Critical Palo Alto GlobalProtect Vulnerability Exploited (CVE-2024-3400)

    Published: 2024-04-13
    Last Updated: 2024-04-13 19:14:00 UTC
    by Johannes Ullrich (Version: 1)
    0 comment(s)

    On Friday, Palo Alto Networks released an advisory warning users of Palo Alto's Global Protect product of a vulnerability that has been exploited since March [1].

    Volexity discovered the vulnerability after one of its customers was compromised [2]. The vulnerability allows for arbitrary code execution. A GitHub repository claimed to include an exploit (it has been removed by now).  But the exploit may have been a fake and not the actual exploit. It appeared a bit too simplistic (hopefully). I had no chance to test it.

    Assume Compromise

    According to Volexity, exploit attempts for this vulnerability were observed as early as March 26th.

    Workarounds

    GlobalProtect is only vulnerable if telemetry is enabled. Telemetry is enabled by default, but as a "quick fix", you may want to disable telemetry. Palo Alto Threat Prevention subscribers can enable Threat ID 95187 to block the exploit.

    Patch

    A patch should be available soon (it is not available as I am writing this). Check with Palo Alto for updates.

    [1] https://security.paloaltonetworks.com/CVE-2024-3400
    [2] https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400

    ---
    Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
    Twitter|

    0 comment(s)

      Comments


      Diary Archives