Summary
The CVE-2024-3400 is a command injection vulnerability in Palo Alto’s PAN-OS specifically in the GlobalProtect feature, an unauthenticated attacker can execute arbitrary code leading to full compromise.
Vulnerable Versions
The vulnerable versions are PAN-OS 10.2, 11.0, and 11.1
Impact
The vulnerability is observed to be exploited since March. 2024 as per CISA, making the score of this vulnerability a critical 10.
Threat actor dubbed UTA0218 is observed deploying python backdoor using this vulnerability where they remotely exploit the firewall to create a reverse shell, download tools, pivot into internal networks and exfiltrate data.
Vulnerability Details
As per the CVE-2024-3400, the threat actor forges specially crafted network requests to a non-existent web page containing a specific pattern. The backdoor then parses the log file and searches for the line matching the same regular expression (“img\[([a-zA-Z0-9+/=]+)\]”) to decode and run the command within it.
15,000+ Assets are susceptible to PAN-OS Attack
As per FireCompass platform, 15k staggering numbers of PAN-OS instances are in the wild making it a potential target for threat actors.
Public POCs
As of writing this blog, there is only one repository claiming to have a working POC
https://github.com/0x0d3ad/CVE-2024-3400