CVE-2024-3400 PAN-OS: Arbitrary File Creation Leads to OS Command Injection Vulnerability in GlobalProtect
Description
A vulnerability in the GlobalProtect feature of specific versions of Palo Alto Networks PAN-OS software, due to arbitrary file creation, could allow an unauthenticated attacker to execute arbitrary code with root privileges on the affected firewall. This issue only affects certain configurations and versions of PAN-OS.
Cloud NGFW, Panorama appliances, and Prisma Access remain unaffected by this vulnerability.
Source: https://security.paloaltonetworks.com/CVE-2024-3400
Configuration Requirements for Vulnerability Exposure
This vulnerability affects only PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls that have either the GlobalProtect gateway or GlobalProtect portal configured, or both. It is important to note that device telemetry activation is not required for these PAN-OS firewalls to be vulnerable to this issue.
To determine if your firewall is configured with a GlobalProtect gateway or portal, check for relevant entries in the firewall's web interface under Network > GlobalProtect > Gateways or Network > GlobalProtect > Portals.
Severity: CRITICAL
CVSSv4.0 Base Score: 10 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/AU:Y/R:U/V:C/RE:M/U:Red)
Common Weakness Enumeration
CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE-20: Improper Input Validation
Recommended Solution
The vulnerability has been resolved in the following versions of PAN-OS: 10.2.9-h1, 11.0.4-h1, and 11.1.2-h3, as well as all subsequent versions. Customers updating to these versions will receive complete protection.
PAN-OS 10.2 Hotfix Releases:
10.2.9-h1 (April 14, 2024)
10.2.8-h3 (April 15, 2024)
10.2.7-h8 (April 15, 2024)
10.2.6-h3 (April 16, 2024)
10.2.5-h6 (April 16, 2024)
10.2.4-h16 (April 18, 2024)
10.2.3-h13 (April 18, 2024)
10.2.2-h5 (April 18, 2024)
10.2.1-h2 (April 18, 2024)
10.2.0-h3 (April 18, 2024)
PAN-OS 11.0 Hotfix Releases:
11.0.4-h1 (April 14, 2024)
11.0.4-h2 (April 17, 2024)
11.0.3-h10 (April 16, 2024)
11.0.2-h4 (April 16, 2024)
11.0.1-h4 (April 18, 2024)
11.0.0-h3 (April 18, 2024)
PAN-OS 11.1 Hotfix Releases:
11.1.2-h3 (April 14, 2024)
11.1.1-h1 (April 16, 2024)