Overview

CVE-2024-3400, a critical-severity vulnerability in PAN-OS, allows pre-authenticated remote code execution on the GlobalProtect VPN interface via a chained attack (directory traversal + command injection) in Palo Alto Networks firewalls. Though patches have been issued, this is being actively exploited in the wild at the time of this writing. Bishop Fox developed an internal exploit for CVE-2024-3400 and notified our customers before a public proof-of-concept was released. Although Palo Alto Networks provided workarounds and mitigations for use in advance of fixes, Bishop Fox successfully bypassed these.

We’re sharing limited details about the mitigation bypasses in an effort to be maximally useful for defenders, while minimally useful for opportunistic attackers.

Details

This vulnerability allows writing an arbitrarily named file to the underlying filesystem by inserting a payload into an HTTP cookie. This payload is subsequently written as the filename at a controlled location via directory traversal, where the file will later be processed by a cron job that runs a telemetry-related script containing a command injection vulnerability. This allows out-of-band remote code execution as root. To be clear, the Bash command to be executed is contained in the name, not contents, of the aforementioned file.

Workarounds and Mitigations

Palo Alto Networks initially recommended two interim mitigations to help prevent exploits prior to implementing a fix: enabling Threat Prevention and disabling device telemetry. Each of these mitigations was targeted at a single step in the chain: Threat Prevention attempts to block malicious requests containing the directory traversal sequence, and disabling device telemetry prevents exploitation of the now-public command injection payload.

We developed bypasses for both recommended interim mitigations. We were able to successfully evade Threat Prevention signatures, and we identified a new command injection vulnerability which is exploitable even when device telemetry is disabled. We reported these findings, and Palo Alto Networks subsequently updated the advisory to indicate that disabling device telemetry is not a sufficient fix, releasing new Threat Prevention rules aimed at these signature bypasses. We believe that the latest set of Threat Prevention rules (TIDs 95187, 95189, and 95191) are an effective mitigation until a patch can be applied. That said, we have observed multiple misconfigurations that prevented these rules from working, and we therefore highly recommend testing these rules.

You can test whether the Threat Prevention rules are working by observing the response from the following safe HTTP request:

$ curl -k https://<HOST>/ -H ’Cookie: test=../../’

On a system with correctly configured Threat Prevention rules, the above command will show a “connection reset” message. On an incorrectly configured system, the command will return an HTML response.

We have validated that the recommended solution of applying the hotfix patches is a sufficient fix for CVE-2024-3400. The patch adds strict validation to the session cookie, which is sufficient to block the initial exploit vector. 

Therefore, we recommend taking one of the following remediation steps, in order of effectiveness:

• Apply the patch.

• Enable Threat Detection for signature IDs 95187, 95189, and 95191.

• Take the GlobalProtect interface offline until the patch is applied.

• Apply additional IPS rules which block requests to the GlobalProtect interface containing a directory traversal sequence (“../”) anywhere in the HTTP Cookie header.