Get Started

Palo Alto OS Command Injection Vulnerability

Palo Alto OS Command Injection Vulnerability  allows the attacker to perform command injection vulnerability (described below) on Palo Alto Firewall.

This vulnerability is registered on CVE refence website under CVE-2024-3400 on 12 April 2024.

What is Command Injection Vulnerability?

Command injection vulnerability is a security flaw that occurs when an application accepts and executes external inputs from users without properly validating or sanitizing them. This vulnerability typically affects web applications that interact with external systems or execute shell commands on the server.

In a command injection attack, an attacker exploits this vulnerability by injecting malicious commands into the application’s input fields or parameters. These commands can be executed within the context of the application’s environment, potentially allowing the attacker to perform unauthorized actions, such as executing system commands, accessing sensitive information, or compromising the integrity of the system.

For example, consider a web application that allows users to search for files on the server by entering a filename. If the application does not properly validate user input and directly passes it to a system command without proper sanitization, an attacker could input a malicious command along with the filename, such as appending ; rm -rf /, which could lead to the deletion of important files or directories on the server.

To prevent command injection vulnerabilities, developers should implement strict input validation, use parameterized queries or prepared statements for database queries, and avoid executing external commands with user-supplied input. Additionally, employing proper access controls and limiting the privileges of the application can help mitigate the impact of potential attacks.

About the Palo Alto OS Command Injection Vulnerability  & Its Impact

The Palo Alto OS Command Injection Vulnerability is registered under CVE-2024-3400 with the following detail:

CVE ID: CVE-2024-3400

CVE Description: A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.

CVE Score: 10

Severity: Critical

Impacted Products: Palo Alto Firewalls with the firewalls with the configurations for both GlobalProtect gateway and device telemetry enabled running the following PAN-OS versions are impacted:

  • PAN-OS 11.1 older than 11.1.2-h3 
  • PAN-OS 11.0 older than 11.0.4-h1 
  • PAN-OS 10.2 older than  10.2.9-h1 

What is NOT Impacted: According to Palo Alto security advisory website, Cloud NGFW, Panorama appliances, and Prisma Access, and any PAN-OS other than the above mentioned three versions are not impacted by this vulnerability. 

Are You Impacted?

You can verify if you are impacted or not by identifying if GlobalProtect Gateway is configured on your Firewall and if your device telemetry is enabled. 

  • To check if Global Protect Gateway is configured on your firewall web interface, login to your Palo Alto Firewall management interface and go to Network > GlobalProtect > Gateways.
  • To check if your device telemtry is enabled, login to your Palo Alto Firewall management interface and go to Device > Setup > Telemetry

You can also lodge a support ticket with Palo Alto Customer Support and upload a copy of your firewall’s Technical Support File (TSF) so the Palo Alto support team can check for any indicator of compromise for this vulnerability for you.

Solution

Palo Alto network is aware of the situation and is currently in the process of developing, testing and releasing the hotfix for this issue.

According to Palo Alto website the issue will be resolved by the hotfix that Palo Alto is currently planning to release for all 3 impacted PAN-OS versions on 14 April 2024.

Workaround & Mitigations

While the hotfix is being developed and tested for release, Palo Alto recommended Customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 95187 (introduced in Applications and Threats content version 8833-8682).

Also, you must ensure that must ensure vulnerability protection has been applied to your GlobalProtect interface to prevent exploitation of this issue on their device. [ click here for more information ].

References

You may also like:

About

  • Our story
  • What we do
  • Our Vision & Mission
  • Our Values

Services

  • Cloud Cost Optimisation
  • Cloud Consulting & Advisory
  • Cloud Migration
  • Infrastructure Review
  • Disaster Recovery
  • Data Protection
  • Cloud Security Assessment
  • Simplified Identity
  • Managed Detect & Response

Industries

  • Automotive
  • Consumer Services
  • Education
  • Financial Services
  • Government (Local & State)
  • Healthcare
  • Legal
  • Manufacturing
  • Nonprofit
  • Power & Utility
  • Retail
  • SaaS & ISV

Use Cases

  • Reducing Cloud Costs
  • Cloud Migration
  • Infrastructure Modernization
  • Cyber Resiliency
  • Data Protection
  • Disaster Recovery
  • Cloud Security Assessment

Resources

Copyright © 2024. All Rights Reserved. Simplified Cloud Pty Ltd

Privacy Policy

Terms and Conditions

Scroll to Top