Critical Palo Alto GlobalProtect Vulnerability Exploited (CVE-2024-3400), (Sat, Apr 13th)
2024-4-13 21:33:15 Author: isc.sans.edu(查看原文) 阅读量:45 收藏

On Friday, Palo Alto Networks released an advisory warning users of Palo Alto's Global Protect product of a vulnerability that has been exploited since March [1].

Volexity discovered the vulnerability after one of its customers was compromised [2]. The vulnerability allows for arbitrary code execution. As of today, an exploit has been made public on GitHub. I have not had a chance to test if the exploit is real. I doubt it is real because I hope Palo Alto did apply a bit more due diligence to its products than let a trivial to exploit vulnerability slip in. On the other hand, we have seen similar vulnerabilities from security tool vendors before.

Assume Compromise

According to Volexity, exploit attempts for this vulnerability were observed as early as March 26th. A simple PoC is now publicly available.

Workarounds

GlobalProtect is only vulnerable if telemetry is enabled. Telemetry is enabled by default, but as a "quick fix", you may want to disable telemetry. Palo Alto Threat Prevention subscribers can enable Threat ID 95187 to block the exploit.

Patch

A patch should be available soon (it is not available as I am writing this). Check with Palo Alto for updates.

[1] https://security.paloaltonetworks.com/CVE-2024-3400
[2] https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400

---
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu
Twitter|


文章来源: https://isc.sans.edu/diary/rss/30834
如有侵权请联系:admin#unsafe.sh