Palo Alto Networks Warns of Critical Zero-Day in PAN-OS


A critical zero-day vulnerability in Palo Alto Networks’ PAN-OS software, used in its GlobalProtect gateways, is being exploited in the wild and no patch is yet available.

Palo Alto Networks released an alert on the flaw on April 12, 2024, thanking cybersecurity company Volexity for discovering it.

The vulnerability is a command injection vulnerability in the GlobalProtect functionality of Palo Alto Networks’ PAN-OS software for specific versions of PAN-OS.

Day Zero was registered as CVE-2024-3400 and was assigned the highest severity score (CVSS of 10.0).

“Distinct feature configurations may allow an unauthenticated attacker to execute arbitrary code with root privileges on the firewall,” Palo Alto said in the advisory.

Limited active exploitation

The versions affected are as follows:

  • PAN-OS <11.1.2-h3
  • PAN-OS <11.0.4-h1
  • PAN-OS <10.2.9-h1

The company also stated that the vulnerability can only be exploited with firewalls that have configurations for GlobalProtect Gateway (Network > GlobalProtect > Gateways) and Device Telemetry (Device > Configuration > Telemetry) enabled.

The company is aware of a limited number of attacks leveraging this vulnerability.

Upcoming fixes for CVE-2024-3400

Although no fixes are available, Palo Alto has issued some mitigation recommendations:

  • Apply a vulnerability protection security profile to the GlobalProtect interface to prevent exploitation
  • Customers with a Threat Prevention subscription can block attacks related to this vulnerability by enabling Threat ID 95187.

The company announced that the flaw will be fixed on April 14 in a series of patches for PAN-OS versions 11.1.2-h3, 11.0.4-h1 and 10.2.9-h1.

CVE 2024-3385, another (fixed) flaw in PAN-OS

This notice comes two days after another vulnerability was discovered. discovered in PAN-OS.

Registered as CVE2024-3385, the high-severity flaw was spotted in a Palo Alto Networks PAN-OS software packet processing mechanism included in the PA-5400 and PA-7000 series firewalls. It allows a remote attacker to restart hardware firewalls and can lead to a denial of service (DoS) attack.

This issue has been fixed in PAN-OS 9.0.17-h4, PAN-OS 9.1.17, PAN-OS 10.1.12, PAN-OS 10.2.8, PAN-OS 11.0.3 and all later versions of PAN- BONE.

Leave a comment