Palo Alto warns of critical 10.0 CVSS RCE zero-day affecting GlobalProtect gateways. No patch currently available and mitigation requires a subscription.

Palo Alto has released an advisory regarding a critical remote code execution (RCE) zero-day vulnerability affecting its GlobalProtect gateways.

CVE-2024-3400 PAN-OS: OS Command Injection Vulnerability in GlobalProtect Gateway

CVE-2024-3400 is a critical command injection vulnerability rated with the highest CVSS score of 10.0. The vulnerability affects versions PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1. This RCE vulnerability only affects gateways configured with both GlobalProtect gateway and telemetry configurations.

Zero-Day Exploitation

Palo Alto states that they are aware of a limited number of attacks exploiting this vulnerability. The advisory states that no fixes are currently available and patches are being developed and are expected to be released on April 24 2024.

Mitigation

While no fix is currently available, the Palo Alto Advisory provides the following mitigation guidance:

“Customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 95187”

We’ll update this developing story and provide more information as soon as patches are released.

Updated: Tuesday April 16 2024

Palo Alto has updated their advisory after releasing patches to address this vulnerability. Patches are available or expected soon for the following versions of PAN-OS:

PAN-OS 10.2:

• 10.2.9-h1 (Released 4/14/24)
• 10.2.8-h3 (Released 4/15/24)
• 10.2.7-h8 (Released 4/15/24)
• 10.2.6-h3 (ETA: 4/16/24)
• 10.2.5-h6 (ETA: 4/16/24)
• 10.2.3-h13 (ETA: 4/17/24)
• 10.2.1-h2 (ETA: 4/17/24)
• 10.2.2-h5 (ETA: 4/18/24)
• 10.2.0-h3 (ETA: 4/18/24)
• 10.2.4-h16 (ETA: 4/19/24)

PAN-OS 11.0:

• 11.0.4-h1 (Released 4/14/24)
• 11.0.3-h10 (ETA: 4/16/24)
• 11.0.2-h4 (ETA: 4/16/24)
• 11.0.1-h4 (ETA: 4/17/24)
• 11.0.0-h3 (ETA: 4/18/24)

PAN-OS 11.1:

• 11.1.2-h3 (Released 4/14/24)
• 11.1.1-h1 (ETA: 4/16/24)
• 11.1.0-h3 (ETA: 4/17/24)