Palo Alto Networks firewalls under attack, hotfixes incoming! (CVE-2024-3400)

Introduction:

In recent news, a critical zero-day vulnerability, CVE-2024-3400, has emerged, posing a significant threat to cybersecurity. This post aims to shed light on what CVE-2024-3400 entails, how it can affect your system, and most importantly, how to prevent and fix it.

What is CVE-2024-3400?

CVE-2024-3400 is a zero-day vulnerability discovered in Palo Alto Networks’ firewalls. It allows attackers to Attackers are exploiting a command injection vulnerability (CVE-2024-3400). This vulnerability is particularly dangerous because CVE-2024-3400 is a command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software and may allow an unauthenticated attacker to execute arbitrary code with root privileges on vulnerable firewalls.
The vulnerability affects PAN-OS versions 11.1, 11.0 and 10.2 that have configurations for both GlobalProtect gateway and device telemetry enabled. It will be fixed with hotfixes 11.1.2-h3, 11.0.4-h1, and 10.2.9-h1, which are scheduled to be released on April 14, 2023 (Sunday).

How Does CVE-2024-3400 Affect You?

If your system is vulnerable to CVE-2024-3400, it could result in The vulnerability affects PAN-OS versions 11.1, 11.0 and 10.2 that have configurations for both GlobalProtect gateway and device telemetry enabled. It will be fixed with hotfixes 11.1.2-h3, 11.0.4-h1, and 10.2.9-h1, which are scheduled to be released on April 14, 2023 (Sunday).. The implications of this vulnerability are severe, and swift action is necessary to mitigate the risk.
“You can verify whether you have a GlobalProtect gateway configured by checking for entries in your firewall web interface (Network > GlobalProtect > Gateways) and verify whether you have device telemetry enabled by checking your firewall web interface (Device > Setup > Telemetry),” Palo Alto Networks explained.

“Customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 95187 (introduced in Applications and Threats content version 8833-8682).”

Prevention Measures:

1. Keep Software Updated: Ensure that all software, including operating systems, applications, and plugins, is up to date with the latest security patches.
2. Implement Access Controls: Restrict access to sensitive systems and data to authorized users only. Utilize strong authentication methods such as multi-factor authentication (MFA).
3. Network Segmentation: Segment your network to contain the impact of a potential breach. Limit communication between systems to only what is necessary.
4. Security Awareness Training: Educate employees about phishing attacks, social engineering tactics, and the importance of cybersecurity hygiene.
5. Threat Intelligence Monitoring: Stay informed about emerging threats and vulnerabilities by subscribing to threat intelligence feeds and security advisories.
6. If they can’t do any of that, they can mitigate the impact of this vulnerability by temporarily disabling device telemetry (and then re-enable it once the hotfix is applied).

Fixing CVE-2024-3400:

Apply Vendor Patches: Check with the vendor for available patches or updates to address CVE-2024-3400. Apply these patches as soon as possible to remediate the vulnerability.
Workarounds: If patches are not immediately available, consider implementing temporary workarounds or mitigations recommended by the vendor or security experts.
Security Testing: Conduct thorough security testing after applying patches or implementing workarounds to ensure they effectively address the vulnerability without introducing new issues.