(4/17/2024) Threat actors have begun exploiting vulnerabilities in Palo Alto GlobalProtect Products and exploit code is publicly available. If your organization has not already, we recommend taking mitigating action immediately as widespread exploitation is likely imminent. In addition, after reporting that temporarily disabling device telemetry would be adequate mitigation, Palo Alto now reports “Device telemetry does not need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability”. Disabling device telemetry is not a sufficient mitigating action. Security patches are now available and should be applied as soon as possible.
The vulnerability affects the following Palo Alto GlobalProtect versions:
Upgrade to 11.1.2-h3, 11.1.0-h3, 11.1.1-h1 or newer
Upgrade to 11.0.4-h1, 11.0.2-h4, 11.0.3-h10
Upgrade to 10.2.9-h1, 10.2.5-h6, 10.2.6-h3, 10.2.7-h8, 10.2.8-h3
A list of additional future upgrade and hotfix release dates can be found in Palo Alto’s CVE report.
(4/16/2024) Fixes for the vulnerability are now available in the following versions -
Patches for other commonly deployed maintenance releases are expected to be released over the next few days. We recommend installing a patch or taking other mitigating action as soon as possible.
Palo Alto Networks disclosed a critical security flaw (CVE-2024-3400) in its GlobalProtect products that is likely being exploited in the wild. Palo Alto GlobalProtect products are used to set up secure remote access to a company’s systems including VPN functionality. The vulnerability allows for an unauthenticated attacker to execute arbitrary code or commands. Security patches are expected to be released on April 14, 2024, and should be applied as soon as possible.
Attackers can gain a foothold into the network by executing arbitrary code or commands against unpatched devices. From there the attacker would be able to conduct further exploitation and potentially move around the network. Corvus has observed similar vulnerabilities lead to ransomware attacks. Impacted organizations should apply a security patch as soon as it is available.