Merge pull request #732 from JstRelax/DIVD-2024-00013

DIVD-2024-00013 PAN-OS

_cases/2024/DIVD-2024-00013.md

@@ -0,0 +1,91 @@
+---
+layout: case
+title: Palo Alto PAN-OS Command Injection Vulnerability in GlobalProtect
+excerpt: "A command injection vulnerability has been discovered in the GlobalProtect feature of Palo Alto Networks PAN-OS software "
+author: Stan Plasmeijer
+lead: Stan Plasmeijer
+researchers:
+- Stan Plasmeijer
+- Ralph Horn
+- Wessel van der Goot
+cves:
+- CVE-2024-3400
+product: 
+- PAN-OS GlobalProtect
+versions: 
+- PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal (or both).
+recommendation: "Upgrade to a PAN-OS version where the issue is fixed. The issue is fixed in PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and in all later PAN-OS versions."
+patch_status: Released
+status : Open
+start: 2024-04-12
+end: 
+timeline:
+- start: 2024-04-12
+  end:
+  event: "DIVD starts researching this vulnerability."
+- start: 2024-04-13
+  end:
+  event: "DIVD found a way to fingerprint vulnerable devices"
+- start: 2024-04-13
+  end:
+  event: "DIVD starts scanning the internet for vulnerable instances"
+- start: 2024-04-14
+  end:
+  event: "Palo Alto Networks released new firmware to fix the issue"
+- start: 2024-04-17
+  end:
+  event: "DIVD scanned a second time for finding vulnerable instances, which didn't update to the latest version yet"
+- start: 2024-04-18
+  end:
+  event: "Case opened, first version of this casefile"
+#ips: 0
+
+---
+## Summary
+
+A command injection vulnerability has been discovered in the GlobalProtect of PAN-OS, allowing unauthenticated malicious actors to exploit it to execute arbitrary commands on the system with root privileges. PAN-OS is the operating system of Palo Alto Firewalls. 
+
+Palo Alto Networks is aware of attacks exploiting this vulnerability.
+
+## Recommendations
+
+Palo Alto Networks recommends to upgrade to a version where the issue is fixed. Palo Alto has released the following versions:
+
+PAN-OS 10.2:
+* 10.2.9-h1 (Released 14 Apr 2024)
+* 10.2.8-h3 (Released 15 Apr 2024)
+* 10.2.7-h8 (Released 15 Apr 2024)
+* 10.2.6-h3 (Released 16 Apr 2024)
+* 10.2.5-h6 (Released 16 Apr 2024)
+* 10.2.3-h13 (Released 18 Apr 2024)
+* 10.2.1-h2 (Released 18 Apr 2024)
+* 10.2.2-h5 (Released 18 Apr 2024)
+* 10.2.0-h3 (Released 18 Apr 2024)
+* 10.2.4-h16 (Released 18 Apr 2024)
+
+PAN-OS 11.0:
+* 11.0.4-h1 (Released 14 Apr 2024)
+* 11.0.4-h2 (Released 17 Apr 2024)
+* 11.0.3-h10 (Released 16 Apr 2024)
+* 11.0.2-h4 (Released 16 Apr 2024)
+* 11.0.1-h4 (Released 18 Apr 2024)
+* 11.0.0-h3 (Released 18 Apr 2024)
+
+PAN-OS 11.1:
+* 11.1.2-h3 (Released 14 Apr 2024)
+* 11.1.1-h1 (Released 16 Apr 2024)
+* 11.1.0-h3 (Released 16 Apr 2024)
+
+## Mitigation
+
+When a upgrading is not suitable for you for you and you have a Threat Prevention subscription with Palo Alto, you can block attacks using Threat IDs 95187, 95189, and 95191 (available in Applications and Threats content version 8836-8695 and later).
+
+## What we are doing
+
+DIVD is currently identifying vulnerable instances and notifying the owners of these systems.
+
+{% comment %}  Leave this here, so we see a timeline {% endcomment %}
+{% include timeline.html %}
+
+## More information
+* [Palo Alto Networks security advisory](https://security.paloaltonetworks.com/CVE-2024-3400)