CVE-2024-3400

Name of the Vulnerable Software and Affected Versions Palo Alto Networks PAN-OS versions 10.2 through 11.1

Description A command injection issue exists in the GlobalProtect feature of Palo Alto Networks PAN-OS software. This flaw results from arbitrary file creation, which allows an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. The exploitation chain involves path traversal to write to a directory, specifically using the SESSID variable in a cookie to target paths such as '/opt/panlogs/tmp/device telemetry/'. This can be triggered via endpoints like '/ssl-vpn/hipreport.esp' and '/global-protect/login.esp'.

This issue has been actively exploited in the wild by threat actors, including suspected state-sponsored groups, in a campaign known as Operation MidnightEclipse. Attackers have used a custom Python backdoor named UPSTYLE to maintain control and conceal commands. It is estimated that between 22,500 and 133,000 devices worldwide could be potentially affected.

Recommendations Update PAN-OS 10.2 to version 10.2.9-h1 or later. Update PAN-OS 11.0 to version 11.0.4-h1 or later. Update PAN-OS 11.1 to version 11.1.2-h3 or later. For Palo Alto Threat Prevention subscribers, enable Threat ID 95187 to prevent attacks.