On April 12th, Palo Alto Networks first publicly disclosed details about CVE-2024-3400. On April 16th, they added important details that resulted in a scope increase of potentially affected devices.
Let’s shed some light on this new vulnerability published by Palo Alto Networks. First off, what exactly is CVE-2024-3400? It’s a vulnerability in the GlobalProtect feature of Palo Alto Networks’ PAN-OS software, with the highest severity score of 10.
How does this vulnerability work?
It exploits two bugs in GlobalProtect:
- The GlobalProtect service did not sufficiently validate the format of session IDs before storing them;
- The periodically running telemetry, sent jobs incorrectly using the filenames as part of the command.
This attack happens in two stages:
Stage 1: The attacker sends a HTTP request to GlobalProtect, with the SESSID cookie set to a file within the device_telemetry subdirectories. The filename can then include a shell command. This writes an empty file to that location with the shell command included in the filename.
Stage 2: A legitimate scheduled system job uses the filename in a command, executing the embedded command with elevated privileges.
An attacker could use these bugs to write arbitrary files with root privileges on affected systems, and telemetry scheduled jobs could execute commands embedded in these filenames.
Palo Alto Networks initially suggested either disabling telemetry or applying a content update to the threat prevention profile to mitigate the issue. However, they later clarified that disabling telemetry alone would not resolve the file writing bug. Subsequently, Palo Alto released an additional threat signature to fully prevent unauthorized file writing.
What have we learned?
While conducting forensic investigations on several customer devices, we have observed that attackers tried exploiting this vulnerability in two main ways:
- Using the write vulnerability to pass base64 encoded commands to copy the firewall’s running configuration to an accessible folder and tried to retrieve it;
- Exploiting the arbitrary write vulnerability to create files with commands in the filename, attempting to execute them via telemetry scheduled jobs.
If you are affected by this vulnerability, here are some tips:
The command line provided by Palo Alto is useful for detecting exploit attempts, as long as the threat actors haven’t cleared the logs. Here’s the script:
grep pattern "failed to unmarshal session(.\+.\/" mp-log gpsvc.log*Investigating this attack may be challenging since it requires root access to the firewall or the ability to create a forensic copy of the firewall disk. For deeper forensic insights, you’ll likely need to contact Palo Alto Networks for a session with a root engineer.
During our sessions, the root engineer used UAC with an ad hoc configuration which provides many useful artefacts, but it will not capture everything you need.
If you are in a session with them, we recommend also retrieving content from the following directories:
/var/log/
/var/appweb/
/opt/panlogs/
/etc/cron.d/
/usr/local/bin/These folders may contain critical artefacts related to CVE-2024-3400.
Once you’ve retrieved the files, we suggest to start the investigation by correlating findings from the Palo Alto Networks command line, with logs from /var/log/nginx/sslvpn_access.log. This can provide further insights into the attacker’s methods and the responses from the nginx backend.
For a deeper understanding of this vulnerability and helpful IOCs, we suggest you check out our Frequently Asked Questions page, as well as the articles below:
https://security.paloaltonetworks.com/CVE-2024-3400
https://www.paloaltonetworks.com/blog/2024/04/more-on-the-pan-os-cve
https://attackerkb.com/topics/SSTk336Tmf/cve-2024-3400/rapid7-analysis
