CVE-2024-3400: Palo Alto PAN-OS Command Injection Vulnerability Explained

On April 12th, 2024, Palo Alto Networks disclosed a critical vulnerability affecting PAN-OS software used in security appliances like their next-generation firewalls [1]. CVE-2024-3400 is a command injection vulnerability with a CVSS score of 10.0 (Critical). The vulnerability allows adversaries to execute commands in Palo Alto firewalls with root privileges remotely. Considering its potential impact, organizations are advised to patch their vulnerable PAN-OS software as soon as possible.

In this blog, we explained how the Palo Alto PAN-OS CVE-2024-3400 vulnerability works and how organizations can defend against CVE-2024-3400 attacks.

Palo Alto PAN-OS CVE-2024-3400 Vulnerability Explained

Palo Alto Networks Operating System (PAN-OS) is used as the foundational software platform for Palo Alto Networks' next-generation firewalls and other security appliances. On April 12th, 2024, Palo Alto released a security advisory about a command injection vulnerability affecting PAN-OS software. CVE-2024-3400 has a CVSS score of 10.0 (Critical) and can be exploited for unauthenticated remote code execution with root privileges in vulnerable PAN-OS versions. Since PAN-OS is used in many Palo Alto Firewall appliances, adversaries may abuse the CVE-2024-3400 vulnerability for initial access, persistence, data exfiltration, or lateral movement.

CVE-2024-3400 vulnerability affects the products below, and organizations are advised to patch their vulnerable PAN-OS software without delay.

How Palo Alto CVE-2024-3400 Exploit Works?

CVE-2024-3400 is a command injection vulnerability found in the GlobalProtect feature of PAN-OS software. The telemetry functionality in the GlobalProtect uses the curl command to send logs from a temporary directory. Using malformed SESSID, adversaries were able to inject shell commands with root privileges via unauthenticated HTTP post requests. 

The example HTTP POST request below exploits the CVE-2024-3400 vulnerability. Note the curl{$IFS}example.com at the end of the SESSID.

Volexity discovered the use of CVE-2024-3400 vulnerability in the wild by a threat actor tracked as UTA0218 [2]. Adversaries exploited the vulnerability to deploy a python-based backdoor named UPSTYLE for persistent access to target organizations. 

HOW TO SIMULATE THIS THREAT FOR FREE - NO SETUP

How does Picus Help Simulate Palo Alto PAN-OS CVE-2024-3400 Attacks?

We also strongly suggest simulating the Palo Alto PAN-OS CVE-2024-3400 vulnerability to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus Complete Security Validation Platform. You can also test your defenses against other vulnerability exploitation attacks, such as Log4Shell, Citrix Bleed, and Follina, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for Palo Alto PAN-OS CVE-2024-3400 vulnerability exploitation attacks:

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address Palo Alto PAN-OS CVE-2024-3400 vulnerability in preventive security controls. Currently, Picus Labs validated the following signatures for Palo Alto PAN-OS CVE-2024-3400 vulnerability:

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trial of the Picus Complete Security Validation Platform.

References

[1] P. Psirt, “CVE-2024-3400 PAN-OS: OS Command Injection Vulnerability in GlobalProtect,” Palo Alto Networks Product Security Assurance, Apr. 12, 2024. Available: https://security.paloaltonetworks.com/CVE-2024-3400. [Accessed: Apr. 17, 2024]

[2] Volexity, “Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400),” Volexity, Apr. 12, 2024. Available: https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/. [Accessed: Apr. 17, 2024]