Palo Alto GlobalProtect RCE CVE-2024-3400 Exploitation Hosts

Context

CVE-2024-3400 is a critical command injection vulnerability discovered in the GlobalProtect feature of Palo Alto Networks’ PAN-OS software. This security flaw affects specific versions of PAN-OS and is particularly concerning because it allows an unauthenticated, remote attacker to execute arbitrary code with root privileges on affected firewalls.

The vulnerability arises due to improper neutralization of special elements that are used in commands within the software. This means that attackers can exploit this flaw by injecting malicious commands that the system will execute, potentially leading to unauthorized access and control over the network security device.

This vulnerability is critical, with a Common Vulnerability Scoring System (CVSS) score of 10, indicating the highest level of severity. The affected versions are mainly PAN-OS 10.2 and 11.0, but the issue has been addressed in subsequent updates provided by Palo Alto Networks.

To mitigate this vulnerability, Palo Alto Networks has released patches for the affected versions and recommends that all users update their systems immediately to prevent potential exploits. Additionally, for those with a Threat Prevention subscription, specific threat IDs have been provided that can help block attacks related to this vulnerability.

Hosts attempting to exploit CVE-2024-3400

• A number of exploit PoCs have been posted on GitHub - many of them expected to be traps (fake exploits with added malicious functionality) for researchers due to the high impact of such a vulnerability.

We have detected the following hosts attmpeting to exploit this vulnerability with a high likelihood of working exploit code.

• 92.118.39.120
• 91.92.249.130

The following User-Agent strings have been present

• “Mozilla/5.0 (Linux; Linux x86_64; en-US) Gecko/20100101 Firefox/122.0”
• “Go-http-client/1.1”