1. About the Vulnerability
1.1 Introduction
The PAN operating system (PAN-OS) is designed by Palo Alto Networks to comprehensively protect enterprise networks of different sizes and various types based on high scalability and flexibility. PAN-OS integrates multiple security features, including firewalls, intrusion detection and prevention, and virtual private networks, to effectively defend against network threats.
1.2 Summary
On April 15, 2024, Sangfor FarSight Labs received notification of the command injection vulnerability (CVE-2024-3400) in PAN-OS, classified as critical (CVSS Score 10.0) by NVD.
This vulnerability is caused by the loose filtering of user input by the GlobalProtect feature of PAN-OS. Attackers can exploit this vulnerability by crafting malicious data to perform remote command execution without authorization, thereby obtaining the highest privileges on the server.
2. Affected Versions
11.1 ≤ PAN-OS < 11.1.2-h3
11.0 ≤ PAN-OS < 11.0.4-h1
10.2 ≤ PAN-OS < 10.2.9-h1
3. Solutions
3.1 Remediation Solutions
3.1.1 Official Solution
Palo Alto Networks has released patches for affected versions to fix these vulnerabilities, and affected users are recommended to download the corresponding patches from the following link:
https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/ta-p/340184
4. Timeline
On April 15, 2024, Sangfor FarSight Labs received notification of the command injection vulnerability (CVE-2024-3400) in PAN-OS.
On April 15, 2024, Sangfor FarSight Labs released a vulnerability alert.
