GlobalProtect PAN-OS RCE (CVE-2024-3400)
Description
CVE-2024-3400 is a critical arbitrary file creation vulnerability in the GlobalProtect VPN feature of Palo Alto Networks PAN-OS. When GlobalProtect gateway or portal configurations are enabled, an unauthenticated remote attacker can exploit this vulnerability to create malicious files on the system, leading to command injection and arbitrary code execution with root privileges. This vulnerability affects specific PAN-OS versions and represents an active exploitation risk.
Remediation
Immediately upgrade affected PAN-OS installations to patched versions as specified in the Palo Alto Networks security advisory. If immediate patching is not possible, apply the vendor-provided threat prevention signatures (Threat IDs 95187, 95189, and 95191) to block exploitation attempts. Review system logs for indicators of compromise, including unusual file creation in temporary directories and unexpected command execution. Note that disabling device telemetry is NOT an effective mitigation for this vulnerability. Consult the official Palo Alto Networks advisory at https://security.paloaltonetworks.com/CVE-2024-3400 for the complete list of affected versions and corresponding patch releases.