Get a demo

Voyager18 (research)

Fixing CVE-2024-3400: Zero-day in Palo Alto's GlobalProtect feature

Zero-day exploited: CVE-2024-3400 in Palo Alto Networks' GlobalProtect allows remote code execution. Here's what we know.

Yair Divinsky | April 15, 2024

CVE-2024-3400  – a critical vulnerability that allows unauthenticated Remote Code Execution (RCE) – has been found in Palo Alto Networks’ GlobalProtect feature, posing a significant security risk to organizations.

This blog post details the malware added to compromised devices, observed lateral movement attempts, the technical details, impact, exploitation, mitigation strategies related to CVE-2024-3400, and guidance for organizations to detect potential network compromises.

TL;DR

Affected products: 

Palo Alto Networks GlobalProtect 

Product category: 

Firewall Management Software 

Severity: 

Critical 

Type: 

Command Injection to exploit Remote Code Execution 

Impact: 

Confidentiality (H), Integrity (H), Availability (H) 

PoC: 

Yes 

Exploit in the wild 

Yes 

CISA Catalog 

 Yes

Remediation action 

Apply all releases of PAN-OS versions 10.2.9-h1, 11.0.4-h1, and 11.1.2-h3, and all subsequent PAN-OS versions 

MITRE advisory 

Read more 

What is CVE-2024-3400?

A command injection vulnerability in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. 

CVE-2024-3400 is a zero-day vulnerability discovered in Palo Alto Networks PAN-OS, specifically within the GlobalProtect feature.

This vulnerability enables remote attackers to execute arbitrary code without authentication, potentially compromising affected firewall devices and allowing unauthorized access to sensitive information within an organization’s network. 

On April 10, 2024, Volexity identified the zero-day exploit targeting the vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS, affecting one of its network security monitoring (NSM) customers.

The detection came after receiving alerts about suspicious network traffic originating from the customer’s firewall, leading to the discovery of a compromised device.

The following day, April 11, 2024, Volexity observed similar exploitation at another NSM customer, conducted by the same threat actor, known as UTA0218. 

UTA0218 successfully executed remote code exploitation on the firewall devices, establishing a reverse shell and installing additional tools for further access.

The attacker’s primary focus was on extracting configuration data from these devices to pivot within the victim organizations. 

Collaborating closely with its customer and Palo Alto Networks Product Security Incident Response Team (PSIRT), Volexity investigated the root cause, identifying the vulnerability as an OS command injection issue, now assigned CVE-2024-3400.

This flaw represents an unauthenticated remote code execution vulnerability, scored at 10.0 on the CVSS scale. Palo Alto Networks promptly issued an advisory for CVE-2024-3400, including a threat protection signature for customers and a timeline for a fix, slated for April 14, 2024, as of the report’s writing. 

During the investigation, Volexity uncovered UTA0218’s attempt to install a custom Python backdoor, dubbed UPSTYLE, on the firewalls. UPSTYLE enables the attacker to execute commands through tailored network requests, detailed further in this report. 

Further investigation revealed successful exploitation across multiple customers and organizations, with activity traced back to March 26, 2024.

These early attempts seemed focused on testing the vulnerability, evident from the placement of zero-byte files on firewall devices for validation.

On April 7, 2024, UTA0218 unsuccessfully tried deploying a backdoor on a customer’s firewall, before successfully deploying malicious payloads on April 10 and 11, 2024, following similar patterns observed previously.

A timeline detailing these discoveries and subsequent activities was provided by Volexity:

 

CVE-2024-3400

Following the successful exploitation of devices, UTA0218 proceeded to download additional tools from remote servers under their control. This was done to enhance their access to victims’ internal networks, enabling swift lateral movement.

During this process, they extracted sensitive credentials and other critical files, facilitating ongoing access even after the initial intrusion. The attacker’s tactics and speed indicate a highly skilled threat actor with a well-defined strategy for achieving their goals. 

Volexity is unable to estimate the extent of the exploitation currently underway. While the initial firewall device exploitation and subsequent hands-on-keyboard activity seemed targeted and limited, evidence suggests broader reconnaissance efforts to identify vulnerable systems have occurred. 

It’s crucial to note that these measures won’t resolve an ongoing compromise; affected organizations must swiftly investigate their systems for potential breaches. 

 

Does CVE-2024-3400 affect me?

This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal (or both) and device telemetry enabled.

This issue does not affect cloud firewalls (Cloud NGFW), Panorama appliances or Prisma Access. For up-to-date information about affected products and versions, please refer to the Palo Alto Networks Security Advisory on this issue. 

In a successful compromise, an attacker utilized a highly privileged service account associated with the Palo Alto Networks firewall device to infiltrate the internal network via SMB and WinRM.

The targeted information included crucial data like the Active Directory database (ntds.dit), important data (DPAPI), and Windows event logs (Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx). 

Apart from Windows-related data, the attacker also exfiltrated Login Data, Cookies, and Local State data for Chrome and Microsoft Edge from specific targets.

This enabled the attacker to obtain the browser master key and decrypt sensitive information, including stored credentials. Below is a list of the files acquired by the attacker: 

  • %LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data 
  • %LOCALAPPDATA%\Google\Chrome\User Data\Default\Network 
  • %LOCALAPPDATA%\Google\Chrome\User Data\Default\Network\Cookies 
  • %LOCALAPPDATA%\Google\Chrome\User Data\Local State 
  • %LOCALAPPDATA%\Microsoft\Edge\User Data\Default\Login Data 
  • %LOCALAPPDATA%\Microsoft\Edge\User Data\Default\Network 
  • %LOCALAPPDATA%\Microsoft\Edge\User Data\Default\Network\Cookies 
  • %LOCALAPPDATA%\Microsoft\Edge\User Data\Local State 
  • %APPDATA%\Roaming\Microsoft\Protect<SID> -> DPAPI Keys 
  • %SystemRoot%\NTDS\ntds.dit 
  • %SystemRoot%\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx 

UTA0218 did not employ malware or additional methods of persistence on systems within victim networks. This could be attributed in part to the prompt detection and response by Volexity and its clients.

However, the stolen data did allow the attacker to compromise credentials for all domain accounts effectively. Furthermore, the attacker gained access and could potentially utilize valid credentials or cookies extracted from browser data for specific user workstations accessed.

 

 

Has CVE-2024-3400 been actively exploited in the wild?

Yes, CVE-2024-3400 has been actively exploited by threat actors Palo Alto Networks is aware of the malicious exploitation linked to this issue, which they are monitoring closely under the label Operation MidnightEclipse.

Palo Alto’s  analysis indicates that the known exploitation weve reviewed is currently restricted to a single threat actor, although we anticipate that other threat actors might try to exploit this vulnerability in the future.

Volexity Threat Research also identified zero-day exploitation instances, indicating that malicious actors are leveraging this vulnerability to compromise Palo Alto Networks GlobalProtect devices.

The exploitation includes tactics such as creating reverse shells, downloading additional tools, and lateral movement within compromised networks. 

 

How to fix CVE-2024-3400?

The resolution for this issue has been implemented in the hotfix releases of PAN-OS versions 10.2.9-h1, 11.0.4-h1, and 11.1.2-h3, as well as in all subsequent PAN-OS versions. Additionally, hotfixes for other frequently used maintenance releases will be provided, a fix is expected by April 14, 2024. 

Palo Alto Networks advises customers with a Threat Prevention subscription to defend against attacks related to this vulnerability by activating Threat ID 95187 (included in Applications and Threats content version 8833-8682).

Moreover, customers must ensure that vulnerability protection is activated on their GlobalProtect interface to prevent exploitation on their device. More details can be found in the relevant LIVEcommunity article. 

If applying the Threat Prevention mitigation is not feasible currently, you can still lessen the impact of this vulnerability by temporarily turning off device telemetry until the device is updated to a fixed PAN-OS version. After the update, device telemetry should be reactivated. 

 

CVE-2024-3400: What they said

The industry has been abuzz with thoughts and insights about CVE-2024-3400:

 

 

 

 

Next steps

Each new vulnerability is a reminder of where we stand and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors: 

  1. 2023 Vulnerability watch reports 
  2. The MITRE ATT&CK framework: Getting started
  3. The true impact of exploitable vulnerabilities for 2024
  4. Multi-cloud security challenges – a best practice guide
  5. How to properly tackle zero-day threats

Get rid of silos;

Start owning exposure risk

Test drive the leader in exposure risk management