Palo Alto Networks: Patch Available for PAN-OS Zero-day
Update: As of April 17, 2024, security researchers testing the patch have questioned whether it fully addresses the vulnerability and if the scope of the attack is broader than initially believed. Policyholders running PAN-OS should refer to Palo Alto Networks security advisory for further updates and guidance as the situation continues to evolve. A patch is now available for a zero-day vulnerability impacting Palo Alto Networks PAN-OS software. No active exploit has been discovered in the wild yet, but threat actors will likely attempt to reverse engineer the patch.
PAN-OS software runs Palo Alto Networks next-generation firewalls (NGFW). Businesses running a Palo Alto NGFW should check which version of PAN-OS their device is running and apply vendor patches immediately.
What happened?
On April 10, 2024, cybersecurity firm Volexity identified a zero-day vulnerability impacting PAN-OS and alerted Palo Alto Networks Product Security Incident Response (PSIRT).
On April 12, Palo Alto Networks published a security advisory about a command injection vulnerability impacting the GlobalProtect feature of its PAN-OS software. Attackers exploiting the vulnerability, CVE-2024-3400, can execute arbitrary code with root privileges on firewall devices. At the time of announcement no patch was available.
On April 15, Palo Alto Networks updated its advisory and released two emergency hotfixes to address the vulnerability in impacted versions of PAN-OS software:
PAN-OS 10.2.9-h1
PAN-OS 11.0.4-h1
PAN-OS 11.1.2-h3
On April 16, Palo Alto Networks updated its advisory to confirm that a previous fix to disable telemetry was no longer valid, stating, “Device telemetry does not need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability.”
At this time, Palo Alto Networks Cloud NGFW, Panorama appliances, Prisma Access, and all other versions of PAN-OS are not impacted.
How did Coalition respond?
Coalition notified policyholders running PAN-OS on April 12, 2024. Within a few days, exploits were observed in the wild, and Palo Alto Networks continues to point its customers to the patch. Businesses using PAN-OS should continue to refer to Palo Alto Networks advisory as it contains a timeline of hotfixes that are still pending.
At this time, security researchers have not found an exploit for this vulnerability in the wild. Coalition Security Labs retroactively observed a spike in honeypot activity looking for PAN-OS on April 11, the day after Volexity reported the vulnerability to PSIRT.
The Security Labs team will continue to monitor honeypot activity as we anticipate an exploit is likely in time.
Coalition Security Labs has updated its scanning processes to determine the version of PAN-OS policyholders are running when possible, though it can be challenging to confirm which version businesses are running via external scans.
Get in Control of cyber risk
As a best practice, we recommend businesses sign up for alerts from their firewall manufacturer and implement a regular patch cadence to update the firewall's firmware in a timely manner.
Organizations should not hesitate to apply patches in a timely manner, even if the device is critical. Businesses that fall behind in their patch cadence run the risk of hosting vulnerable devices.
Coalition will continue actively monitoring for risks associated with this vulnerability and send alerts using Coalition Control™. Coalition Control is available for all policyholders, and users can invite their IT team to Control to further support prompt alert reviews and responses.
Any policyholder with questions or concerns regarding PAN-OS can contact our Security Support Center.