High Threat Security Alert (A24-04-10): Multiple Vulnerabilities in Palo Alto Products

Description:

Palo Alto has published security advisories to address multiple vulnerabilities in PAN-OS and Prisma Access. The detailed information about the vulnerabilities can be found at:
https://security.paloaltonetworks.com/CVE-2024-3382
https://security.paloaltonetworks.com/CVE-2024-3383
https://security.paloaltonetworks.com/CVE-2024-3384
https://security.paloaltonetworks.com/CVE-2024-3385
https://security.paloaltonetworks.com/CVE-2024-3386
https://security.paloaltonetworks.com/CVE-2024-3387
https://security.paloaltonetworks.com/CVE-2024-3388
https://security.paloaltonetworks.com/CVE-2024-3400

Palo Alto disclosed a critical actively exploited command injection vulnerability (CVE-2024-3400) affecting PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewall with the configurations for both GlobalProtect gateway and device telemetry enabled. The vulnerability, if successfully exploited, could enable unauthenticated attacker to execute arbitrary code with root privileges on a vulnerable device. While relevant hotfixes are yet to be available to address the issue, Palo Alto advised those who are using Threat Prevention Subscription to enable Threat ID 95187 and ensure vulnerability protection has been applied to their GlobalProtect interface. For those who are unable to apply the Threat Prevention based mitigation, it is advised to temporarily disable device telemetry (https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-admin/device-telemetry/device-telemetry-configure/device-telemetry-disable) until the affected device has been upgraded to a fixed PAN-OS version. System administrators are advised to take immediate action to apply the workaround to address the vulnerability.

On 15 April 2024, Palo Alto has released the hotfixes of various PAN-OS versions to address the command injection vulnerability (CVE-2024-3400). System administrators are advised to apply the hotfixes provided by Palo Alto to mitigate the elevated risk of cyber attacks.

Affected Systems:

• PAN-OS 8.1 versions prior to 8.1.26
• PAN-OS 9.0 versions prior to 9.0.17-h4
• PAN-OS 9.1 versions prior to 9.1.17
• PAN-OS 10.0 versions prior to 10.0.13
• PAN-OS 10.1 versions prior to 10.1.12
• PAN-OS 10.2 versions prior to 10.2.9-h1
• PAN-OS 11.0 versions prior to 11.0.4-h1
• PAN-OS 11.1 versions prior to 11.1.2-h3
• Prisma Access versions prior to 10.2.4

For detailed information of the affected systems, please refer to the corresponding security advisory at vendor's website.

Impact:

Successful exploitation of the vulnerabilities could lead to remote code execution, denial of service, information disclosure or security restriction bypass on an affected system.

Recommendation:

Patches for affected systems are now available. For detailed information of the available patches, please refer to the section "Solution" of corresponding security advisory at vendor's website. The patch for CVE-2024-3400 is available, mitigations are provided by Palo Alto as follows to mitigate the risk of exploitation:
https://security.paloaltonetworks.com/CVE-2024-3400

System administrators of affected systems should follow the recommendations provided by the vendor and take immediate actions to mitigate the risk.

More Information:

• https://unit42.paloaltonetworks.com/CVE-2024-3400
• https://security.paloaltonetworks.com/CVE-2024-3382
• https://security.paloaltonetworks.com/CVE-2024-3383
• https://security.paloaltonetworks.com/CVE-2024-3384
• https://security.paloaltonetworks.com/CVE-2024-3385
• https://security.paloaltonetworks.com/CVE-2024-3386
• https://security.paloaltonetworks.com/CVE-2024-3387
• https://security.paloaltonetworks.com/CVE-2024-3388
• https://security.paloaltonetworks.com/CVE-2024-3400
• https://www.hkcert.org/security-bulletin/palo-alto-products-multiple-vulnerabilities_20240412
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3382 (to CVE-2024-3388)
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-3400