On Friday, April 12, Palo Alto Networks published an advisory on CVE-2024-3400, a CVSS 10 vulnerability in several versions of PAN-OS, the operating system that runs on the company’s firewalls. According to the vendor advisory, if conditions for exploitability are met, the vulnerability may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. The vulnerability is currently unpatched. Patches are expected to be available by Sunday, April 14, 2024.
Note: Palo Alto Networks customers are only vulnerable if they are using PAN-OS 10.2, PAN-OS 11.0, and/or PAN-OS 11.1 firewalls with the configurations for both GlobalProtect gateway and device telemetry enabled.
Palo Alto Networks’ advisory indicates that CVE-2024-3400 has been exploited in the wild in “a limited number of attacks.” The company has given the vulnerability their highest urgency rating.
Mitigation guidance
CVE-2024-3400 is unpatched as of Friday, April 12 and affects the following versions of PAN-OS when GlobalProtect gateway and device telemetry are enabled:
PAN-OS 11.1 (before 11.1.2-h3)
PAN-OS 11.0 (before 11.0.4-h1)
PAN-OS 10.2 (before 10.2.9-h1)
Palo Alto Networks’ Cloud NGFW and Prisma Access solutions are not affected; nor are earlier versions of PAN-OS (10.1, 10.0, 9.1, and 9.0). For additional information and the latest remediation guidance, please see Palo Alto Networks’ advisory.
The company has indicated that hotfix releases of PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, and PAN-OS 11.1.2-h3 will be released by April 14, along with hotfixes for “all later PAN-OS versions.”
Rapid7 recommends applying one of the below vendor-provided mitigations immediately:
Customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 95187 (introduced in Applications and Threats content version ..Support the originator by clicking the read the rest link below.
