Following on from our recent advisory, we provide the following urgent update to guidance on PAN devices impacted by CVE-2024-3000.
We have also included some details around a recent Putty (SSH client) vulnerability, we urge all impacted partners to take action on both vulnerabilities immediately.
Palo Alto CVE-2024-3400 – Urgent update
Recent developments regarding the active exploitation of CVE-2024-3400 now indicate that the previously advised mitigation strategy of disabling telemetry is ineffective.
As of the time of writing, PaloAlto advise that the application of the appropriate hotfix is the advised remediation action. This is dependent on the version of PAN OS in use, as hotfixes are not yet available for all impacted versions.
Impacted Version(s)
Affected PAN-OS versions include:
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
Remediation Timelines
PAN-OS 10.2:
- 10.2.9-h1 (Released 14/04/24)
- 10.2.8-h3 (Released 15/04/24)
- 10.2.7-h8 (Released 15/04/24)
- 10.2.6-h3 (Released 16/04/24)
- 10.2.5-h6 (ETA: 16/04/24)
- 10.2.3-h13 (ETA: 17/04/24)
- 10.2.1-h2 (ETA: 17/04/24)
- 10.2.2-h5 (ETA: 17/04/24)
- 10.2.0-h3 (ETA: 18/04/24)
- 10.2.4-h16 (ETA: 19/04/24)
PAN-OS 11.0:
- 11.0.4-h1 (Released 14/04/24)
- 11.0.3-h10 (ETA: 16/04/24)
- 11.0.2-h4 (Released 16/04/24)
- 11.0.1-h4 (ETA: 17/04/24)
- 11.0.0-h3 (ETA: 18/04/24)
PAN-OS 11.1:
- 11.1.2-h3 (Released 14/04/24)
- 11.1.1-h1 (ETA: 16/04/24)
- 11.1.0-h3 (ETA: 17/04/24)
Mitigation Strategies
As a short term mitigation, for clients with an active ‘Threat Prevention’ subscription, you can block ongoing attacks by activating ‘Threat ID 95187 and 95189 threat prevention.
The following wiki article provides further guidance on this mitigation strategy:
https://wiki.secure-iss.com/en/Public/SOC/PAN-CVE-2024-3400
Indicators have been added to Secure-ISS SIEM rulesets and are being updated as this situation develops.
Further reading
https://www.cisa.gov/news-events/alerts/2024/04/12/palo-alto-networks-releases-guidance-vulnerability-pan-os-cve-2024-3400
https://security.paloaltonetworks.com/CVE-2024-3400
https://nvd.nist.gov/vuln/detail/CVE-2024-3400
Putty (SSH) client
A vulnerability has been disclosed in popular SSH client Putty allowing trivial compromise of the private key should specific conditions be met.
Impacted key pairs are ECDSA private keys which use the NIST P521 curve. Other sizes of ECDSA and other key protocols are not impacted.
An attacker in possession of a few dozen signed messages and the public key has enough information to recover the private key and forge signatures allowing them to log into any servers that key is used for.
Impacted Versions:
v0.68 to v0.80 inclusive
Remediation:
- Revoke and remove the public key from all authorized_keys files or equivalent. Generate a new key pair
- Update to v0.81