CVE-2024-3400

Name of the Vulnerable Software and Affected Versions Palo Alto Networks PAN-OS versions 10.2 Palo Alto Networks PAN-OS versions 11.0 Palo Alto Networks PAN-OS versions 11.1

Description A command injection issue exists in the GlobalProtect feature of PAN-OS, resulting from arbitrary file creation. This allows an unauthenticated remote attacker to execute arbitrary code with root privileges on the firewall. The issue is triggered when the GlobalProtect feature and device telemetry are enabled. Technical exploitation involves a path traversal vulnerability via the SESSID cookie, allowing an attacker to write to the /opt/panlogs/tmp/device telemetry/ directory. Subsequently, a command injection occurs within the pansys.py library, which uses the subprocess.Popen() function to execute curl for telemetry transmission via cron. Attackers may use the Internal Field Separator (IFS) to bypass space restrictions. Real-world exploitation has been observed in campaigns such as Operation MidnightEclipse, where attackers deployed Python-based backdoors (UPSTYLE), stole configuration data, and performed lateral movement using SMB and WinRM. It is estimated that between 40,000 and 133,000 devices worldwide could be potentially affected.

Recommendations Update PAN-OS versions 10.2, 11.0, and 11.1 to the latest patched versions. As a temporary mitigation, disable the device telemetry feature to prevent the command injection chain.