diff --git a/_cases/2024/DIVD-2024-00013.md b/_cases/2024/DIVD-2024-00013.md new file mode 100644 index 00000000..04e3afc3 --- /dev/null +++ b/_cases/2024/DIVD-2024-00013.md @@ -0,0 +1,91 @@ +--- +layout: case +title: Palo Alto PAN-OS Command Injection Vulnerability in GlobalProtect +excerpt: "A command injection vulnerability has been discovered in the GlobalProtect feature of Palo Alto Networks PAN-OS software " +author: Stan Plasmeijer +lead: Stan Plasmeijer +researchers: +- Stan Plasmeijer +- Ralph Horn +- Wessel van der Goot +cves: +- CVE-2024-3400 +product: +- PAN-OS GlobalProtect +versions: +- PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal (or both). +recommendation: "Upgrade to a PAN-OS version where the issue is fixed. The issue is fixed in PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and in all later PAN-OS versions." +patch_status: Released +status : Open +start: 2024-04-12 +end: +timeline: +- start: 2024-04-12 + end: + event: "DIVD starts researching this vulnerability." +- start: 2024-04-13 + end: + event: "DIVD found a way to fingerprint vulnerable devices" +- start: 2024-04-13 + end: + event: "DIVD starts scanning the internet for vulnerable instances" +- start: 2024-04-14 + end: + event: "Palo Alto Networks released new firmware to fix the issue" +- start: 2024-04-17 + end: + event: "DIVD scanned a second time for finding vulnerable instances, which didn't update to the latest version yet" +- start: 2024-04-18 + end: + event: "Case opened, first version of this casefile" +#ips: 0 + +--- +## Summary + +A command injection vulnerability has been discovered in the GlobalProtect of PAN-OS, allowing unauthenticated malicious actors to exploit it to execute arbitrary commands on the system with root privileges. PAN-OS is the operating system of Palo Alto Firewalls. + +Palo Alto Networks is aware of attacks exploiting this vulnerability. + +## Recommendations + +Palo Alto Networks recommends to upgrade to a version where the issue is fixed. Palo Alto has released the following versions: + +PAN-OS 10.2: +* 10.2.9-h1 (Released 14 Apr 2024) +* 10.2.8-h3 (Released 15 Apr 2024) +* 10.2.7-h8 (Released 15 Apr 2024) +* 10.2.6-h3 (Released 16 Apr 2024) +* 10.2.5-h6 (Released 16 Apr 2024) +* 10.2.3-h13 (Released 18 Apr 2024) +* 10.2.1-h2 (Released 18 Apr 2024) +* 10.2.2-h5 (Released 18 Apr 2024) +* 10.2.0-h3 (Released 18 Apr 2024) +* 10.2.4-h16 (Released 18 Apr 2024) + +PAN-OS 11.0: +* 11.0.4-h1 (Released 14 Apr 2024) +* 11.0.4-h2 (Released 17 Apr 2024) +* 11.0.3-h10 (Released 16 Apr 2024) +* 11.0.2-h4 (Released 16 Apr 2024) +* 11.0.1-h4 (Released 18 Apr 2024) +* 11.0.0-h3 (Released 18 Apr 2024) + +PAN-OS 11.1: +* 11.1.2-h3 (Released 14 Apr 2024) +* 11.1.1-h1 (Released 16 Apr 2024) +* 11.1.0-h3 (Released 16 Apr 2024) + +## Mitigation + +When a upgrading is not suitable for you for you and you have a Threat Prevention subscription with Palo Alto, you can block attacks using Threat IDs 95187, 95189, and 95191 (available in Applications and Threats content version 8836-8695 and later). + +## What we are doing + +DIVD is currently identifying vulnerable instances and notifying the owners of these systems. + +{% comment %} Leave this here, so we see a timeline {% endcomment %} +{% include timeline.html %} + +## More information +* [Palo Alto Networks security advisory](https://security.paloaltonetworks.com/CVE-2024-3400)