Critical Flaw Exposed: Understanding CVE-2024-3400 in PAN-OS GlobalProtect

Palo Alto Networks recently announced a critical vulnerability (CVE-2024-3400) affecting their PAN-OS software, specifically within the GlobalProtect functionality, with a CVSSv4.0 Base Score of 10. This vulnerability impacts PAN-OS versions 10.2, 11.0, and 11.1 when configured with GlobalProtect. CISA has added this vulnerability to its KEV (Known Exploited Vulnerability) Catalog, indicating evidence of active exploitation.

The issue arises from improper input validation, allowing for arbitrary file creation and remote command execution with root privileges on affected firewalls. Palo Alto Networks took proactive measures by promptly removing the vulnerable software version from the AWS Marketplace. At Traceable, we promptly released protection rules to the Traceable Platform to detect exploitation attempts of this vulnerability. For further analysis, we recommend referring to the comprehensive reverse engineering analysis conducted by Watchtower Labs and the post-exploitation analysis done by the Veloxity team.

STEP 1: Unmarshal Reflection

The vulnerability uses CWE-470, where the server unsafely constructs the file paths from the SESSION parameter and performs unsafe directory traversal and file operations.  

Example:

Setting Cookie: SESSID=foo/bar; gives the following error in the logs.

“message”:”failed to load file /tmp/sslvpn/session_foo/bar,

This suggests that a file path contains the SESSID cookie, so by manipulating session IDs with slashes and dots, we can potentially perform a directory traversal. Researchers found that by manipulating the session ID cookie, they could trigger file operations executed with root privileges. Even if the requested file didn’t exist, the system created a zero-byte file in its place. By crafting a specific HTTP request, they attempted to write a file to a location accessible without authentication.

STEP 2: Telemetry Python

Analysis of the Python code handling these commands unveiled a flaw where the shell was set to execute user-controlled input. By crafting a specific session ID and uploading a file to a temporary directory utilized by the telemetry system, they successfully injected a filename into the curl command, leading to command execution. They overcame challenges like space truncation by leveraging shell variables, demonstrating control and enabling command execution.

Github user 0x0d3ad has published a proof of concept. As evident from the payload, the SESSID cookie value can be manipulated with command injection which is then concatenated into a string and ultimately executed as a shell command

Mitigation

At Traceable ASPEN, we believe in continuously learning from software vulnerabilities and educating others to apply these lessons to improve other products and services. With that in mind, let’s examine security measures that should be considered to mitigate the risks associated with this type of vulnerability. –

1. Input Validation and Sanitization: Validate and sanitize all user inputs, especially those used to construct file paths or execute commands. Ensure that inputs are properly validated to prevent directory traversal attacks and command injections.
   1. The session ID should’ve been sanitized before it was used in subsequent methods.
2. Safe File Operations: Use secure file handling techniques to prevent unauthorized access and manipulation of files. Avoid constructing file paths dynamically based on user inputs and instead use predefined, safe locations for file operations.
   1. The unmarshall reflection is a clear example of unsafe file operations. When file paths are dynamically created based on inputs, it opens gates for all kinds of path traversals.
3. Least Privilege Principle: Follow the principle of least privilege by restricting the permissions of your application and server processes. Avoid granting unnecessary privileges, especially root or administrative privileges, which can exacerbate the impact of security vulnerabilities.
   
   1. Example: In PanOS unmarshalling of user input and subsequent file operations are performed as root should not have been done
4. Monitoring and Logging: Implement comprehensive monitoring and logging mechanisms to detect and respond to security incidents promptly. Monitor system and application logs for suspicious activities, such as unauthorized file access or command executions, and set up alerts for potential security breaches.
   1. Any kind of unusual file access should be logged to know the exact damage caused by vulnerabilities so appropriate measures can be taken
5. Secure Configuration Management: Ensure that your server and application configurations are securely managed and hardened against security threats. Implement secure configuration practices, such as disabling unnecessary services, applying security patches promptly, and configuring firewalls and access controls effectively.

Workarounds and Mitigations

It is strongly advised to immediately upgrade to a fixed version of PAN-OS to protect the devices even when workarounds and mitigations have been applied. This issue is fixed in hotfix releases of PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and in all later PAN-OS versions. Hotfixes for other commonly deployed maintenance releases will also be made available to address this issue. 

At Traceable, we are continuously monitoring for new CVEs and threats to ensure that our customers are protected against vulnerabilities or attacks. CVE-2024-3400 is no different; as of 17th April, all Traceable customers are protected against this CVE-2024-3400. We continue to look for blocked exploitation attempts via our Omnitrace Engine, and will reach out to customers who are targeted.

If you want to get the Traceable advantage with our leading API security platform, you can schedule a demo today.

About Traceable

Traceable is the industry’s leading API Security company helping organizations achieve API visibility and attack protection in a cloud-first, API-driven world. Traceable is the only intelligent and context-aware solution that powers complete API security – API discovery and posture management, API security testing, attack detection and threat hunting, and attack protection anywhere your APIs live. Traceable enables organizations to minimize risk and maximize the value that APIs bring their customers. To learn more about how API security can help your business, book a demo with a security expert.