Palo Alto revealed on Friday, April 12, that some PAN-OS versions include a vulnerability that allows for remote code execution. Additionally, the company revealed that backdoors on Palo Alto firewalls have been actively installed using this vulnerability. On April 14th, a patch is anticipated to be made available. Here is the Palo Alto advisory. This is the CISA advisory. This vulnerability has been rated as critical by Palo Alto, and it has received a 10.0 CVSSv3 score from NVD. Currently, attacks against this vulnerability can be detected by Indiesecurity without the need for further settings.

CVE-2024-3400: What is it?

The GlobalProtect Gateway function of PAN-OS versions 10.2, 11.0, and 11.1 has a serious command injection vulnerability that highlights how crucial API security is for devices that are at the forefront of network connections. The weakness, recognized as CVE-2024-3400, allows unauthorized users to execute commands as the system administrator, significantly threatening the security of critical infrastructure.

The issue, rated with the maximum severity score of 10 out of 10, was discovered during routine operations and specifically affects systems with both GlobalProtect gateway and device telemetry enabled.

Affected and unaffected versions are as follows:

Affected: PAN-OS 10.2 versions below 10.2.9-h1, PAN-OS 11.0 versions below 11.0.4-h1, and PAN-OS 11.1 versions below 11.1.2-h3.

Unaffected: Cloud NGFW, Panorama appliances, Prisma Access, and all other PAN-OS versions.

To determine vulnerability, users should check their firewall configurations for an active GlobalProtect gateway (Network > GlobalProtect > Gateways) and enabled device telemetry (Device > Setup > Telemetry). Palo Alto Networks has noted a few instances where this flaw has already been exploited.

Fixes for the impacted versions are scheduled to be released by April 14, 2024.

Exploit Details and Detection Challenges of CVE-2024-3400

The exploit for CVE-2024-3400 operates through a straightforward XML RPC request that embeds malicious code within an XML tag, specifically

<cmd code="ping">OS command exploit is here</cmd>

This particular method of attack highlights the need for comprehensive API security measures, as the exploit can bypass traditional security systems like Web Application Firewalls (WAF) and Intrusion Prevention Systems (IPS) through XML obfuscation techniques.

For organizations utilizing PAN-OS, it is critical to be aware that while the access to the /api endpoint can be tracked in the logs, the actual exploit payload within the XML body is not recorded in the standard access.log or other log files. This absence of detailed logging underscores the necessity of deploying a dedicated API security solution to monitor and protect these vectors effectively.

Given these complexities, it is crucial for network administrators to enhance their monitoring capabilities to include detailed analysis of all API traffic, particularly focusing on XML data that might not typically be logged. Implementing an advanced API security solution will provide the additional layer of scrutiny required to detect and mitigate such obscured exploits effectively

GitHub's Response

In response to the discovery and exploitation of CVE-2024-3400, GitHub has actively started to remove repositories containing exploits and proof-of-concept (POC) code related to this vulnerability. An example of such swift action can be seen with the removal of one of the first exploits published for this issue, available at https://github.com/DrewskyDev/CVE-2024-3400, which was uploaded on April 12th. Despite GitHub's efforts to curb the spread of this exploit, numerous other resources and platforms have already distributed this POC, indicating a rapid dissemination across the cyber community.

Attackers have already demonstrated the capability to exploit this vulnerability by using sophisticated XML obfuscation methods, making the detection of such attacks by usual WAFs and IDS/IPS systems challenging. These techniques involve altering the XML encodings, structure, and sizes in ways that evade detection by conventional security tools, which rely on recognizing known patterns of attack signatures.

Recommendation

For up-to-date information, Indiesecurity strongly recommends users to regularly visit the official Palo Alto Networks advisory page at https://security.paloaltonetworks.com/CVE-2024-3400. As soon as the patch becomes available, it is imperative that impacted devices be updated. Indiesecurity also suggests doing a full firmware hard reset on updated devices to get rid of any potential backdoors that might have been installed in order to guarantee complete security. In order to stop any security breaches that might have happened due to compromised certificates, it's also essential to examine and possibly revoke any certificates if your PanOS devices were handling SSL/TLS termination.