Alert - Vulnerability impacting PAN-OS GlobalProtect Gateway - Update 2

From: Canadian Centre for Cyber Security

Number: AL24-005
Date: April 17, 2024

Audience

This Alert is intended for IT professionals and managers.

Purpose

An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.

Details

On April 12, 2024, Palo Alto Networks published a security advisory about a critical vulnerability (CVE-2024-3400) impacting the GlobalProtect Gateway feature in PAN-OS 11.1, 11.0 and 10.2Footnote 1. In response to this advisory, the Cyber Centre released advisory AV24-198 on April 12Footnote 2.

Exploitation of CVE-2024-3400 may allow an unauthenticated threat actor to execute arbitrary code with root privileges on the firewallFootnote 1. Palo Alto Networks is aware of limited exploitation of CVE-2024-3400.

This vulnerability affects the following PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls with the configurations for both GlobalProtect gateway and device telemetry enabled:

  • PAN-OS 11.1 – versions prior to 11.1.2-h3
  • PAN-OS 11.0 – versions prior to 11.0.4-h1
  • PAN-OS 10.2 – versions prior to 10.2.9-h1

Fixes for this vulnerability are in development and are expected to be released by April 14ootnote 1.

Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.

Update 1

On April 14, 2024, Palo Alto Networks released hotfixes for PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, and PAN-OS 11.1.2-h3Footnote 6. Hotfixes for additional versions will be made available in the coming days.

Update 2

On April 17, 2024, Palo Alto Networks updated their security advisoryFootnote 1 to reflect that having device telemetry disabled does NOT protect PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway and/or GlobalProtect portal from exploitation.

With the GlobalProtect portal product now added as a vulnerable configuration, Palo Alto Networks no longer recommends this as a mitigation and clients with affected versions are advised to apply the hotfixes.

Palo Alto Networks has also provided additional Threat Prevention Threat IDs 95189 and 95191 (available in Applications and Threats content version 8836-8695 and later). Customers with a Threat Prevention subscription can leverage the new signatures for detection and prevention.

Clients can verify whether they have a GlobalProtect gateway or GlobalProtect portal configured by checking for entries in their firewall web interface (Network > GlobalProtect > Gateways or Network > GlobalProtect > Portals).

To reflect the updated guidance from Palo Alto Networks, the Cyber Centre has removed the recommendation to disable telemetry as a mitigation strategy.

Suggested actions

Update April 17 2024

Clients can verify whether they have a GlobalProtect gateway or GlobalProtect portal configured by checking for entries in their firewall web interface (Network > GlobalProtect > Gateways or Network > GlobalProtect > Portals).

To reflect the updated guidance from Palo Alto Networks, the Cyber Centre has removed the recommendation to disable telemetry as a mitigation strategy.

End of update

The Cyber Centre strongly recommends that organizations patch affected firewalls when fixes are made available.

Customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 95187 (introduced in Applications and Threats content version 8833-8682).

In addition to enabling Threat ID 95187, customers must ensure vulnerability protection has been applied to their GlobalProtect interface to prevent exploitation of this issue on their deviceFootnote 1.

If you are unable to apply the Threat Prevention based mitigation at this time, you can still mitigate the impact of this vulnerability by temporarily disabling device telemetry until the device is upgraded to a fixed PAN-OS version. Once upgraded, device telemetry should be re-enabled on the deviceFootnote 1.

The Cyber Centre recommends organizations review open source resources for additional information and indicators of compromiseFootnote 3Footnote 4.

Organizations should also review and implement the Cyber Centre’s Top 10 IT Security ActionsFootnote 5 with an emphasis on the following topics:

  • Consolidating, monitoring, and defending Internet gateways.
  • Patching operating systems and applications.
  • Isolate web-facing applications.

Should activity matching the content of this alert be discovered, recipients are encouraged to report via the My Cyber Portal, or email contact@cyber.gc.ca.

Partner Reporting

ACSC - OS Command Injection Vulnerability in GlobalProtect Gateway

NCSC-NZ - Palo Alto Command Injection Vulnerability in PAN-OS GlobalProtect

Report a problem on this page

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, please contact us.

Date modified: