A crucial zero-day vulnerability in Palo Alto Networks’ PAN-OS software program, utilized in its GlobalProtect gateways, is being exploited within the wild, and no patches can be found but.
Palo Alto Networks issued an alert in regards to the flaw on April 12, 2024, thanking cybersecurity agency Volexity for locating it.
The vulnerability is a command injection vulnerability within the GlobalProtect function of Palo Alto Networks’ PAN-OS software program for particular PAN-OS variations.
The zero-day has been registered as CVE-2024-3400 and attributed the very best severity rating (CVSS of 10.0).
“Distinct function configurations could allow an unauthenticated attacker to execute arbitrary code with root privileges on the firewall,” Palo Alto stated within the advisory.
Restricted Energetic Exploitation
The variations involved are the next:
- PAN-OS < 11.1.2-h3
- PAN-OS < 11.0.4-h1
- PAN-OS < 10.2.9-h1
The corporate additionally stated that the vulnerability can solely be exploited with firewalls which have the configurations for each GlobalProtect gateway (Community > GlobalProtect > Gateways) and system telemetry (Gadget > Setup > Telemetry) enabled.
The agency is conscious of a restricted variety of assaults that leverage the exploitation of this vulnerability.
Upcoming Fixes for CVE-2024-3400
Though there are not any fixes accessible, Palo Alto issued some mitigation suggestions:
- Apply a vulnerability safety safety profile to the GlobalProtect interface to forestall exploitation
- Clients with a Menace Prevention subscription can block assaults for this vulnerability by enabling Menace ID 95187
The agency introduced the flaw will likely be fastened on April 14 throughout a collection of hotfixes for PAN-OS variations 11.1.2-h3, 11.0.4-h1, and 10.2.9-h1.
CVE 2024-3385, One other (Fastened) Flaw in PAN-OS
This advisory comes two days after one other vulnerability was found in PAN-OS.
Registered as CVE 2024-3385, the high-severity flaw was noticed in a Palo Alto Networks PAN-OS software program packet processing mechanism included in PA-5400 and PA-7000 Collection firewalls. It allows a distant attacker to reboot hardware-based firewalls and may result in a denial of service (DoS) assault.
This concern was fastened in PAN-OS 9.0.17-h4, PAN-OS 9.1.17, PAN-OS 10.1.12, PAN-OS 10.2.8, PAN-OS 11.0.3, and all later PAN-OS variations.
