Emerging Security Issue: Palo Alto Networks GlobalProtect PAN-OS Software CVE-2024-3400

Update April 22nd, 2024

CyCognito integrated an active test for this vulnerability into our platform on April 21st, 2024 and will continue to alert customers if vulnerable assets are identified. As of April 22nd, 2024, 99.5% of CyCognito customers’ potentially vulnerable assets are confirmed as not vulnerable.

What is CVE-2024-3400?

On April 12th, Palo Alto Networks announced threat intelligence and incident response firm Volexity’s discovery of a command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software, CVE-2024-3400. This vulnerability allows unauthenticated attackers to execute arbitrary code with root privileges on the firewall in some PAN-OS versions. In at least one case, an attacker (tracked as UTA0218) was able to leverage this vulnerability as an entry point and began moving laterally within an affected organization. 

What Assets are Affected by this Vulnerability? 

Currently, only firewall versions PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 configured with GlobalProtect Gateway and/or GlobalProtect portal and that also have device telemetry enabled are affected.

How to Verify if an Asset is Vulnerable

Users can verify if their firewalls have been configured with a GlobalProtect gateway or GlobalProtect portal by checking for entries in the firewall web interface using Network > GlobalProtect > Gateways or Network > GlobalProtect > Portals. To check if device telemetry has been enabled, check your firewall web interface using Device > Setup > Telemetry.

Cloud-based Virtual Machines Impacted by CVE-2024-3400? 

While Cloud NGFW firewalls are not affected by this vulnerability, some PAN-OS versions and feature configurations of firewalls deployed in the cloud may be impacted.  

Is a Fix Available? 

Starting on April 14th, Palo Alto Networks began publishing hotfixes for CVE-2024-3400. As of April 15th, these fixes cover versions PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and later but do not cover earlier versions. Additional hotfixes for earlier versions are expected. 

Is CVE-2024-3400 Actively Being Exploited? 

Palo Alto Networks has stated that they are “aware of a limited number of attacks that leverage the exploitation of this vulnerability.” Palo Alto Networks Unit42 is currently tracking this incident as Operation MidnightEclipse. 

Volexity has identified one potentially state-backed threat actor – UTA0218 – exploiting this vulnerability. Organizations can anticipate a flurry of attempted exploitations as CVE-2024-3400 becomes more widely known. 

How is CyCognito Helping Customers Identify Assets Vulnerable to CVE-2024-3400? 

As soon as this vulnerability was published, CyCognito identified potentially affected assets that were exposed to attackers. Over the weekend, affected customers received a list of externally exposed assets vulnerable to CVE-2024-3400. In addition, all customers can view an in-platform emerging security issue announcement. The CyCognito platform uses both passive scanning and active testing techniques to identify vulnerable assets.  

Figure 1: The alert sent by CyCognito for CVE-2024-3200

How are Enterprise Organizations at Risk from CVE-2024-3400? 

Over 50% of CyCognito customers use at least one externally exposed Palo Alto Networks product. CyCognito found that the average customer with exposed Palo Alto Networks assets had at least 13 potentially vulnerable devices, but Fortune 100 enterprises were much more heavily exposed, with up to 150 different networks leveraging Palo Alto Networks GlobalProtect. Each of these assets likely serves a different subsidiary part of the larger corporate entity. 

CVE-2024-3400 poses the greatest risk to enterprise organizations due to a greater likelihood of undermanaged or unknown affected assets in these organizations. Our previous research indicates that organizations are unaware of 10-30% of their subsidiaries before they begin managing their exposed attack surface with CyCognito. For enterprises leveraging Palo Alto Networks’ GlobalProtect product, that could leave dozens of assets undiscovered, untested, and unpatched.    

What Other Issues Are Potentially Affecting Palo Alto Networks Devices? 

Whether it’s because of unknown or under-managed assets, a lack of fix validation or inability to effectively detect a vulnerability, security issues can linger in the attack surface for months or years. When new organizations begin using CyCognito, we often find that even organizations with best-in-class security teams still have undiscovered and untested exploitable critical vulnerabilities affecting vital systems because their attack surface was never fully mapped and tested.

Although the vulnerabilities below were published over 18 months ago, CyCognito found assets that were still vulnerable to these critical issues today. 

• CVE-2020-2021—While only 3.5% of CyCognito customers using Palo Alto Networks products are still affected by this critical (10/10) vulnerability, it was documented in June 2020, making this fix almost four years overdue. 
• CVE-2021-3064 – CyCognito found that 12% of customers using Palo Alto Networks products were affected by this critical vulnerability (9.8/10 according to PAN’s advisory), even though it was discovered in 2021. 
• CVE-2022-0028 – Although this issue was documented in 2022, almost 14% of CyCognito customers using Palo Alto Networks products have had assets vulnerable to this high severity (8.6/10) vulnerability within the last 12 months. However, without active security testing, like that provided by CyCognito, organizations cannot accurately identify whether assets are affected by this issue.

These vulnerable assets underscore how critical it is for organizations to quickly identify, prioritize and remediate severe issues – in some cases, attackers have had years of opportunities to leverage these vulnerabilities to extract data, deploy ransomware, or reach targets within the affected organization. 

Relying on legacy stacks of vulnerability management combined with pen-testing and external attack surface management leaves critical exposures unmanaged and unremediated for years. When assessing whether organizations are prepared for vulnerabilities like CVE-2024-3400, consider four key exposure management metrics: 

1. Exposure Visibility: what percentage of externally exposed assets are visible to security teams?  
2. Pentest and DAST Coverage: what percentage of assets are actively tested for misconfigurations, vulnerabilities, and other issues? 
3. Pentest and DAST Cadence: how frequently are all assets actively tested? 
4. MTTR: how quickly are issues identified, prioritized, and remediated? 

How Can CyCognito Help Your Organization? 

CyCognito is an exposure management platform that reduces risk by discovering, testing and prioritizing security issues. The platform scans billions of websites, cloud applications and APIs and uses advanced AI to identify the most critical risks and guide remediation. Emerging companies, government agencies and Fortune 500 organizations rely on CyCognito to secure and protect from growing threats.Want to see how it works? Check out our website and explore our platform with a self-guided, interactive dashboard product tour. To learn how CyCognito can help you understand your external attack surface and exposed risks, please visit our Contact Us page to schedule a demo.