Cybersecurity company TeamT5 has released mitigation and response guidelines to vulnerability CVE-2024-340 in Palo Alto Networks PAN-OS software. Affected products are PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal (or both).
CVE-2024-3400 is an arbitrary file creation vulnerability in the GlobalProtect portals of PAN-OS software that will allow unauthenticated threat actors to execute arbitrary code and deploy malware to the targets’ devices with root privilege.
Notably, CVE-2024-3400 has a prerequisite of enabling the GlobalProtect gateway or portal. If enabled, the threat actors can exploit the arbitrary file creation vulnerability resulting from the GlobalProtect portals to achieve the command injection for remote code execution.
TeamT5 assesses the severity level of CVE-2024-3400 as critical and urges its customers to mitigate the effects. Proof of concepts exploiting CVE-2024-3400 have been circulating in the wild. Additionally, Palo Alto confirmed the attack attempts that exploited the vulnerability. Finally, public reports have revealed that state actors exploited CVE-2024-3400 in the attacks.
Threat actors have been actively exploiting CVE-2024-3400 since March 2024. Moreover, telemetry has identified at least two APT groups, including China-nexus APT SLIME60 and a newly identified APT group, SLIME61. Based on the exploitation status, TeamT5 depicted the possible attack scenario.
Palo Alto has released the official mitigation advisory. The vulnerability is patched in PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and in all later PAN-OS versions.
TeamT5 recommends its customers upgrade their Palo Alto Networks PAN-OS software to the corresponding version. Notably, while exploiting CVE-2024-3400 requires the GlobalProtect gateway or portal. Palo Alto has warned that disabling the device telemetry is not an effective mitigation.
