First published: 12 Apr 2024
Last updated: 03 May 2024

Content written for

Small & medium business
Large organisations & infrastructure

This alert has been written for the IT teams of organisations and government.

Background / What has happened?

  • UPDATE 03/05/2024 - Palo Alto is aware of proof-of-concept by third parties of post exploit persistence techniques that survive resets and upgrades. Palo Alto is not aware at this time of any malicious attempts to use these persistence techniques in active exploitation of vulnerability. The Threat Prevention signatures completely prevent the initial remote command execution, stopping subsequent post-exploitation or persistence.
  • UPDATE 17/04/2024 - In earlier versions of Palo Alto’s advisory, disabling device telemetry was listed as a secondary mitigation action. Disabling device telemetry is no longer an effective mitigation. Device telemetry does not need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability. Further mitigation advice is provided at CVE-2024-3400 PAN-OS: OS Command Injection Vulnerability in GlobalProtect (paloaltonetworks.com)
  • ASD’s ACSC is aware of a vulnerability in Palo Alto’s PAN-OS products.
  • This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal (or both). Device telemetry does not need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability.
  • CVE-2024-3400 allows for an unauthenticated attacker to execute arbitrary code with root privileges on the firewall
  • ASD’s ACSC is aware of exploitation of this CVE

Mitigation / How do I stay secure?

  • Australian organisations who have a Palo Alto Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 95187, 95189 and 95191 (available in Applications and Threats content version 8836-8695 and later).
  • Additionally, customers must ensure vulnerability protection has been applied to their GlobalProtect interface to prevent exploitation of this issue on their device.
  • Further mitigation advice can found at the vendor notification at CVE-2024-3400 PAN-OS: OS Command Injection Vulnerability in GlobalProtect Gateway (paloaltonetworks.com)

Assistance / Where can I go for help?

The ASD's ACSC is monitoring the situation and is able to provide assistance and advice as required. Organisations or individuals that have been impacted or require assistance can contact us via 1300 CYBER1 (1300 292 371).

Was this information helpful?

Thanks for your feedback!

Optional

Tell us why this information was helpful and we’ll work on making more pages like it