Track SBOM Compliance with Coralogix
A Software Bill of Materials (SBOM) is essentially an inventory of the components used to build a software artifact, such as an application. While the concept…
Whether you are just starting your observability journey or already are an expert, our courses will help advance your knowledge and practical skills.
Expert insight, best practices and information on everything related to Observability issues, trends and solutions.
Explore our guides on a broad range of observability related topics.
On April 12, 2024, Palo Alto disclosed a critical vulnerability identified as CVE-2024-3400 in its PAN OS operating system, which carries the highest severity rating of 10.0 on the CVSS scale. This vulnerability, present in certain versions of Palo Alto Networks’ PAN-OS within the GlobalProtect feature, allows unauthenticated attackers to execute any code with root privileges on the firewall through command injection.
The flaw, which has been actively exploited since at least March 26, 2024, affects approximately 22,500 exposed Palo Alto GlobalProtect firewall devices. The exploit involves command injection triggered by the creation of arbitrary files, posing significant security risks to affected systems.
This vulnerability applies only to
1. PAN-OS 10.2, PAN-OS 11.0 and PAN-OS 11.1 firewall configurations with a
GlobalProtect gateway or GlobalProtect portal (or both)
AND
2. Enabled Device Telemetry
The issue was found by Volexity, a cyber security company, on 10th April in one of its customer environments and shared with Palo Alto on April 12, 2024.
(Above are the timelines as shared by Volexity for the given findings.)
The vulnerability does not affect cloud firewalls (Cloud NGFW), Panorama appliances, or Prisma Access.
This issue is fixed in hotfix releases of PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and in all later PAN-OS versions. Hotfixes for other commonly deployed maintenance releases will also be made available to address this issue. Please see the details below for ETAs regarding upcoming hotfixes.
– 10.2.9-h1 (Released 4/14/24)
– 10.2.8-h3 (ETA: 4/15/24)
– 10.2.7-h8 (ETA: 4/15/24)
– 10.2.6-h3 (ETA: 4/15/24)
– 10.2.5-h6 (ETA: 4/16/24)
– 10.2.3-h13 (ETA: 4/17/24)
– 10.2.1-h2 (ETA: 4/17/24)
– 10.2.2-h5 (ETA: 4/18/24)
– 10.2.0-h3 (ETA: 4/18/24)
– 10.2.4-h16 (ETA: 4/19/24)
– 11.0.4-h1 (Released 4/14/24)
– 11.0.3-h10 (ETA: 4/15/24)
– 11.0.2-h4 (ETA: 4/16/24)
– 11.0.1-h4 (ETA: 4/17/24)
– 11.0.0-h3 (ETA: 4/18/24)
– 11.1.2-h3 (Released 4/14/24)
– 11.1.1-h1 (ETA: 4/16/24)
– 11.1.0-h3 (ETA: 4/17/24)
Customers with this subscription can block attacks for this vulnerability using Threat ID 95187 (available in Applications and Threats content version 8833-8682 and later).
Customers who don’t have the Threat Prevention subscription or are unable to apply the same can mitigate the vulnerability by Temporarily disabling device telemetry until the device is upgraded to a patched PAN-OS version. Once upgraded, device telemetry will have to be re-enabled on the device. If Panorama manages the firewalls, ensure that device telemetry is disabled in relevant templates (Panorama > Templates).
The Coralogix security team onboarded the above-mentioned IOCs into the Coralogix custom threat intel feed for real-time detection. The team then scanned SRC customer environments with Palo Alto integrations for the aforesaid IOCs.
The Coralogix security team has evaluated if any enhancements and/or additions were needed for our existing detections in light of this vulnerability.
If you need further assistance with respect to this vulnerability, our Security Resource Center (SRC) and Research team would be happy to engage. Please contact your Account Manager, TAM, or SRC SPoC regarding this.
Learn more about Coralogix’s quick start extension for Palo Alto with out-of-the-box security dashboards and alerts.
A Software Bill of Materials (SBOM) is essentially an inventory of the components used to build a software artifact, such as an application. While the concept…
In the fast-paced world of business, timely and accurate incident investigations are crucial. The ability to piece together evidence, understand the timeline, and collaborate effectively is…
In a world where increasing numbers of transactions are done online, compliance with PCI DSS (Payment Card Industry Data Security Standard) is crucial. However, with more…