PAN-OS CVE-2024-3400: Patch Your Palo Alto Firewalls

Vulnerability intelligence tab with text 'Patch Your Firewalls: Pan-OS CVE-2024-3400'

Share

Overview

CVE-2024-3400, a critical-severity vulnerability in PAN-OS, allows pre-authenticated remote code execution on the GlobalProtect VPN interface via a chained attack (directory traversal + command injection) in Palo Alto Networks firewalls. Though patches have been issued, this is being actively exploited in the wild at the time of this writing. Bishop Fox developed an internal exploit for CVE-2024-3400 and notified our customers before a public proof-of-concept was released. Although Palo Alto Networks provided workarounds and mitigations for use in advance of fixes, Bishop Fox successfully bypassed these.

We’re sharing limited details about the mitigation bypasses in an effort to be maximally useful for defenders, while minimally useful for opportunistic attackers.

Details

This vulnerability allows writing an arbitrarily named file to the underlying filesystem by inserting a payload into an HTTP cookie. This payload is subsequently written as the filename at a controlled location via directory traversal, where the file will later be processed by a cron job that runs a telemetry-related script containing a command injection vulnerability. This allows out-of-band remote code execution as root. To be clear, the Bash command to be executed is contained in the name, not contents, of the aforementioned file.

Workarounds and Mitigations

Palo Alto Networks initially recommended two interim mitigations to help prevent exploits prior to implementing a fix: enabling Threat Prevention and disabling device telemetry. Each of these mitigations was targeted at a single step in the chain: Threat Prevention attempts to block malicious requests containing the directory traversal sequence, and disabling device telemetry prevents exploitation of the now-public command injection payload.

We developed bypasses for both recommended interim mitigations. We were able to successfully evade Threat Prevention signatures, and we identified a new command injection vulnerability which is exploitable even when device telemetry is disabled. We reported these findings, and Palo Alto Networks subsequently updated the advisory to indicate that disabling device telemetry is not a sufficient fix, releasing new Threat Prevention rules aimed at these signature bypasses. We believe that the latest set of Threat Prevention rules (TIDs 95187, 95189, and 95191) are an effective mitigation until a patch can be applied. That said, we have observed multiple misconfigurations that prevented these rules from working, and we therefore highly recommend testing these rules.

You can test whether the Threat Prevention rules are working by observing the response from the following safe HTTP request:

$ curl -k <u>https://<HOST>/</u> -H 'Cookie: test=../../'

On a system with correctly configured Threat Prevention rules, the above command will show a “connection reset” message. On an incorrectly configured system, the command will return an HTML response.

We have validated that the recommended solution of applying the hotfix patches is a sufficient fix for CVE-2024-3400. The patch adds strict validation to the session cookie, which is sufficient to block the initial exploit vector. 

Therefore, we recommend taking one of the following remediation steps, in order of effectiveness:

  • Apply the patch.
  • Enable Threat Detection for signature IDs 95187, 95189, and 95191.
  • Take the GlobalProtect interface offline until the patch is applied.
  • Apply additional IPS rules which block requests to the GlobalProtect interface containing a directory traversal sequence (“../”) anywhere in the HTTP Cookie header.

Subscribe to Bishop Fox's Security Blog

Be first to learn about latest tools, advisories, and findings.


Default fox headshot purple

About the author, Bishop Fox

Security Experts

Due to the nature in which we conduct research and penetration tests, some of our security experts prefer to remain anonymous. Their work is published under our Bishop Fox name.

Bishop Fox is the leading authority in offensive security, providing solutions ranging from continuous penetration testing, red teaming, and attack surface management to product, cloud, and application security assessments. We’ve worked with more than 25% of the Fortune 100, half of the Fortune 10, eight of the top 10 global technology companies, and all of the top global media companies to improve their security. Our Cosmos platform, service innovation, and culture of excellence continue to gather accolades from industry award programs including Fast Company, Inc., SC Media, and others, and our offerings are consistently ranked as “world class” in customer experience surveys. We’ve been actively contributing to and supporting the security community for almost two decades and have published more than 16 open-source tools and 50 security advisories in the last five years. Learn more at bishopfox.com or follow us on Twitter.

More by Bishop

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.