The BSI warns: The PAN-OS operating system has a glaring, critical vulnerability that was rated with a CVSS value of 10.0 out of 10. Companies should act immediately and apply upcoming patches or use the available workarounds.
According to BSI - the Federal Office for Information Security, on April 12, 2024, the company Palo Alto Networks published an advisory about an actively exploited vulnerability in PAN-OS, the operating system of the manufacturer's firewalls. The vulnerability, identified as CVE-2024-3400, is an OS command injection in the GlobalProtect Gateway feature that allows an unauthenticated remote attacker to execute code with root privileges on the firewall. The vulnerability was rated according to the Common Vulnerability Scoring System (CVSS) with the highest value 10.0 (“critical”; CVSS 4.0).
Affected firewalls and operating systems
The CVE-2024-3400 vulnerability affects firewalls with:
- PAN-OS 11.1 with version < 11.1.2-h3
- PAN-OS 11.0 with version < 11.0.4-h1
- PAN-OS 10.2 with version < 10.2.9-h1
with GlobalProtect Gateway configured and telemetry feature activated.
If one of the configurations mentioned is not activated, exploitation is not possible. The older versions of PAN-OS (10.1, 10.0, 9.1 and 9.0), the cloud solution NGFW, Panorama Appliances and Prisma Access are not affected!
The patches (11.1.2-h3, 11.0.4-h1, 10.2.9-h1) according to information in the advisory expected to be released on April 14, 2024. Palo Alto Networks says it has observed a limited number of attacks using this vulnerability.
Quick measures and workarounds
There are currently no patches available. However, these should probably be available from April 14, 2024.
Operators should quickly check whether they are affected by the vulnerability. To do this, you can check in the web interface under Network > GlobalProtect > Gateways whether “GlobalProtect Gateway” is configured and under Device > Setup > Telemetry whether the telemetry feature is activated. If this is the case, one of the workarounds recommended by Palo Alto should urgently be used.
Workaround 1
Institutions should disable the telemetry feature on affected devicesuntil the version of PAN-OS is updated. After installing the update, the telemetry option must be reactivated manually.
Workaround 2
Institutions using Palo Alto's Threat Prevention service can block attacks by enabling Threat ID 95187. In addition, vulnerability protection must be activated on the GlobalProtect interface.
Has the firewall already been attacked?
To check whether the firewall has already been compromised, Palo Alto Networks in the Customer Support Portal (CSP).to upload a “technical support file” (TSF) and have it checked for exploitation of the vulnerability.
More at BSI.Bund.de
About the Federal Office for Information Security (BSI) The Federal Office for Information Security (BSI) is the federal cyber security authority and the creator of secure digitization in Germany. The guiding principle: As the federal cyber security authority, the BSI designs information security in digitization through prevention, detection and reaction for the state, economy and society.