As you may be aware, CISA has advised of a critical vulnerability in Palo Alto Networks PAN-OS versions 10.2, 11.0, and 11.1.

Palo Alto Networks has reported active exploitation of this vulnerability in the wild. CISA has also added this vulnerability to its Known Exploited Vulnerabilities Catalog.

Command Injection vulnerability

A command injection vulnerability, tracked as CVE-2024-3400, in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.

Fixes for PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 are in development and are expected to be released by April 14, 2024.

Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability. All other versions of PAN-OS are also not impacted.

Impacted Version(s)

Affected PAN-OS versions include:

  • PAN-OS 11.1 – 11.1.2 – h3 and prior
  • PAN-OS 11.0 – 11.0.4 – h1 and prior
  • PAN-OS 10.2 – 10.2.9 – h1 and prior

Mitigation Strategies

Until the patches are released by Palo Alto Networks, the following mitigation actions below are strongly recommended.

Customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 95187 (introduced in Applications and Threats content version 8833-8682).

Customers must also ensure vulnerability protection has been applied to their GlobalProtect interface.

If customers are unable to apply the Threat Prevention based mitigation at this time, you can still mitigate the impact of this vulnerability by temporarily disabling device telemetry.

For detailed instructions of any of the mitigation steps above, see Palo Alto Networks Advisory here

Further reading