Corvus Insights Blog | Smart Cyber Insurance

The Impact of the Palo Alto GlobalProtect Vulnerability | April 2024

Written by Corvus Threat Intel & Risk Advisory | 04.17.24

Palo Alto GlobalProtect Vulnerability Overview

 

Vulnerability Update

(4/17/2024) Threat actors have begun exploiting vulnerabilities in Palo Alto GlobalProtect Products and exploit code is publicly available. If your organization has not already, we recommend taking mitigating action immediately as widespread exploitation is likely imminent. In addition, after reporting that temporarily disabling device telemetry would be adequate mitigation, Palo Alto now reports “Device telemetry does not need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability”. Disabling device telemetry is not a sufficient mitigating action. Security patches are now available and should be applied as soon as possible.

Impacted Operating Systems 

The vulnerability affects the following Palo Alto GlobalProtect versions:

  • PAN-OS 11.1 (versions before 11.1.2-h3, 11.1.0-h3, 11.1.1-h1) 
    • Upgrade to 11.1.2-h3, 11.1.0-h3, 11.1.1-h1 or newer

  • PAN-OS 11.0 (versions before 11.0.4-h1, 11.0.2-h4, 11.0.3-h10) 
    • Upgrade to 11.0.4-h1, 11.0.2-h4, 11.0.3-h10

  • PAN-OS 10.2 (versions before 10.2.9-h1, 10.2.5-h6, 10.2.7-h8, 10.2.8-h3) 
    • Upgrade to 10.2.9-h1, 10.2.5-h6, 10.2.6-h3, 10.2.7-h8, 10.2.8-h3 

A list of additional future upgrade and hotfix release dates can be found in Palo Alto’s CVE report.

Vulnerability Update

(4/16/2024) Fixes for the vulnerability are now available in the following versions -

  • PAN-OS 10.2.9-h1
  • PAN-OS 11.0.4-h1
  • PAN-OS 11.1.2-h3

Patches for other commonly deployed maintenance releases are expected to be released over the next few days. We recommend installing a patch or taking other mitigating action as soon as possible.

Background Information

Palo Alto Networks disclosed a critical security flaw (CVE-2024-3400) in its GlobalProtect products that is likely being exploited in the wild. Palo Alto GlobalProtect products are used to set up secure remote access to a company’s systems including VPN functionality. The vulnerability allows for an unauthenticated attacker to execute arbitrary code or commands. Security patches are expected to be released on April 14, 2024, and should be applied as soon as possible.

Impact of the Vulnerability

The vulnerability affects the following versions:

  • PAN-OS 11.1 (versions before 11.1.2-h3) - Upgrade to 11.1.2-h3 (estimated release: April 14, 2024)
  • PAN-OS 11.0 (versions before 11.0.4-h1) - Upgrade to 11.0.4-h1 (estimated release: April 14, 2024)
  • PAN-OS 10.2 (versions before 10.2.9-h1) - Upgrade to 10.2.9-h1 (estimated release: April 14, 2024)

Attackers can gain a foothold into the network by executing arbitrary code or commands against unpatched devices. From there the attacker would be able to conduct further exploitation and potentially move around the network. Corvus has observed similar vulnerabilities lead to ransomware attacks. Impacted organizations should apply a security patch as soon as it is available.

Next Steps

  1. Ensure you install the latest available fixed version of PAN-OS when it is released.
  2. If you aren’t able to patch right away, available workarounds are the following:
    • If you are a Palo Alto customer with a Threat Prevention subscription, enable Threat ID 95187 (introduced in Applications and Threats content version 8833-8682). You must also ensure vulnerability protection has been applied to the GlobalProtect interface to prevent exploitation of this issue on your device.