CVE-2024-3400 (CVSS 10): Critical 0-Day Flaw in Palo Alto Networks Firewall Software Exploited in the Wild

CVE-2024-3400

Palo Alto Networks has disclosed a severe zero-day vulnerability (CVE-2024-3400) affecting its market-leading firewall software, PAN-OS. This vulnerability carries a CVSS score of 10.0, indicating its critical severity. Successful exploitation could allow unauthenticated attackers to execute arbitrary code with root privileges on affected firewalls.

CVE-2024-3400

Affected Systems

The CVE-2024-3400 vulnerability specifically impacts the GlobalProtect gateway feature of the following PAN-OS versions when combined with enabled device telemetry:

  • PAN-OS 10.2
  • PAN-OS 11.0
  • PAN-OS 11.1

Thankfully, other versions, the Cloud NGFW solution, Panorama appliances, and Prisma Access are not affected.

Active Exploitation

Worryingly, Palo Alto Networks has confirmed limited, in-the-wild attacks already exploiting this vulnerability. This underscores the urgency for organizations using the affected PAN-OS versions to apply hotfixes immediately.

Fixes and Mitigations

Palo Alto Networks is committed to addressing this vulnerability quickly. Hotfix releases for the following PAN-OS versions are expected by April 14, 2024:

  • PAN-OS 10.2.9-h1
  • PAN-OS 11.0.4-h1
  • PAN-OS 11.1.2-h3

If you cannot immediately patch your systems, follow these essential mitigation steps:

  1. Threat Prevention: If you have a Threat Prevention subscription, enable Threat ID 95187. Ensure you apply vulnerability protection to your GlobalProtect interface.
  2. Disable Device Telemetry (if you cannot apply Threat Prevention): Temporarily disable device telemetry via the web interface and re-enable it once your firewall is updated.

Instructions for applying these mitigations can be found on the Palo Alto Networks website.

Call to Action

Security teams and network administrators should treat this alert with the highest priority. Follow these steps carefully to protect your networks from potential attacks:

  • Verify Exposure: Check your firewall’s web interface to determine if you are running a vulnerable version and have GlobalProtect gateway and device telemetry enabled.
  • Apply Hotfixes: As soon as hotfixes become available, thoroughly test and deploy them across your network.
  • Follow Mitigations: If patching is not immediately feasible, implement Palo Alto Networks’ recommended workarounds to reduce the attack surface.