Recently, a random file creation vulnerability ‘CVE-2024-3400′ was discovered in the GlobalProtect function of Palo Alto Networks’ PAN-OS version software. This vulnerability allows an unverified attacker to inject malicious commands and execute arbitrary code with root privileges in the firewall. It was rated at a CVSS score of 10 due to the potential threat of system abuse, data manipulation, and system control.
As of about two weeks after the discovery of CVE-2024-3400, most of the attack PoCs have been deleted, but some PoCs are still disclosed on GitHub. In addition, since Palo Alto Networks’ devices, which may be subject to vulnerability exploitation, are still exposed to the internet, it is urgent to check whether IT assets are exposed and to check for security.
Exploit PoC for Palo Alto Vulnerability Disclosed
The command injection vulnerability ‘CVE-2024-3400’ affects PAN-OS versions 10.2~10.2-h1, 11.0~11.0.4-h1, and 11.1~11.1.2-h3 when configured with either GlobalProtect Gateway or GlobalProtect Portal, and with device telemetry enabled. These specific versions and configurations are vulnerable to this exploit.
The image below is part of the vulnerability PoC code released on GitHub.
Source: h4xor-dz’s GitHub (https://github.com/h4x0r-dz/CVE-2024-3400)
If you execute the WHOIS command according to the published PoC above, the command execution result can be returned from the target server to the attacker’s PC port 9999, as shown in the image below.
As a result, RCE (Remote Code Execution) attacks that can execute arbitrary commands become possible.
Source: oxod3ad’s GitHub (https://github.com/0x0d3ad/CVE-2024-3400)
Checking Potential Threats of CVE-2024-3400 Using Path Traversal and OSINT Search Engine
Using this publicly available PoC, you can easily exploit the CVE-2024-3400 vulnerability. The problem is that even two weeks after the vulnerability was announced, there are still many Palo Alto Networks devices affected by the command injection vulnerability.
To avoid becoming a target of potential vulnerability attacks, you should check whether the Palo Alto Networks device you are using is vulnerable. There are two main ways to find a vulnerable Palo Alto Networks device. The first method is to check for vulnerabilities through path traversal.
The poc.txt file must be created in the following path with root permissions: ‘/var/appweb/sslvpndocs/global-protect/portal/images/poc.txt’.
If vulnerable, you will receive server response code 403 when you access poc.txt.
Source: ihebski’s GitHub (https://github.com/ihebski/CVE-2024-3400)
However, this method has the inconvenience of having to check each route one by one. On the other hand, if you search the query below in Asset Search of the threat intelligence search engine Criminal IP, you can find a large number of Palo Alto Networks devices exposed to the internet.
Criminal IP Query: title: “GlobalProtect Portal”
As a result of the search, a total of 90,904 Palo Alto Networks GlobalProtect Portals are exposed externally. Among them, the United States had the largest number with 27,570, followed by India and Germany.
However, not all Palo Alto Networks devices exposed externally are vulnerable to CVE-2024-3400, and as mentioned earlier, devices corresponding to a specific version are the targets of this vulnerability attack, so it must be resolved through a quick version update.
| Vulnerability | Product Name | Affected Versions | Recommended Update Versions |
|---|---|---|---|
| CVE-2024-3400 | PAN-OS | 11.1 ~ 11.1.2-h3 | 11.1.2-h3 and above |
| 11.0 ~ 11.0.4-h1 | 11.0.4-h1 and above | ||
| 10.2 ~ 10.2.9-h1 | 10.2.9-h1 and above |
In relation to this, you can refer to the article Detecting a server exposed to CVSS 10-point ScreenConnect vulnerability (CVE-2024-1709).
This report is based on data from Criminal IP, a Cyber Threat Intelligence search engine. Sign up for a free Criminal IP account today to explore the search results mentioned in the report and delve into comprehensive threat intelligence.
Source: Criminal IP (https://www.criminalip.io)
Related Article(s):
Leave a Reply