CVE-2024-3400 Detection: A Maximum Severity Command Injection PAN-OS Zero-Day Vulnerability in GlobalProtect Software

A novel command injection zero-day vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software hits the headlines. The highly critical flaw, identified as CVE-2024-3400, has been already exploited in a series of attacks in the wild.

Detect CVE-2024-3400 Exploitation Attempts

The number of vulnerabilities weaponized for in-the-wild attacks increases tremendously on a yearly basis, with over 30K new flaws being discovered solely in 2023. This makes the Detection of Vulnerability Exploitation one of the most trending cybersecurity use cases. To help cyber defenders address emerging threats on time and defend proactively, SOC Prime Platform for collective cyber defense offers a complete product suite for AI-powered Detection Engineering, Automated Threat Hunting & Detection Stack Validation. 

Backed by the world’s largest Detection-as-Code library of algorithms, addressing any cyber attack or emerging threat under a 24-hour SLA, security professionals can seamlessly identify malicious activity and streamline the investigation to spot intrusions in the earliest stages.

In view of the active exploitation of a critical zero-day vulnerability impacting Palo Alto Networks Firewalls, SOC Prime Team created a set of detection algorithms to identify possible CVE-2024-3400 exploitation attempts based on the available PoC.

Possible CVE-2024-3400 (Palo Alto PAN-OS Command Injection Vulnerability) Exploitation Attempt

Both rules in the set are compatible with 28 SIEM, EDR, and Data Lake technologies and mapped to the MITRE ATT&CK® framework v14.1. Additionally, detections are enriched with extensive metadata and detailed CTI. 

To stay on track and don’t miss valuable updates, cyber defenders can check for new relevant rules addressing CVE-2024-3400 exploits by hitting the Explore Detections button below.

Explore Detections

CVE-2024-3400 Analysis

A novel critical CVE-2024-3400 zero-day vulnerability in Palo Alto Networks Firewalls comes to the spotlight with the highest CVSS score of 10.0. The unveiled command injection vulnerability affects specific PAN-OS versions (10.2, 11.0, and 11.1) along with certain feature configurations. However, Cloud NGFW, Panorama appliances, and Prisma Access are not within the CVE-2024-3400 scope of impact.

As per the vendor advisory, if certain conditions for exploitation are met, the vulnerability could potentially enable arbitrary code execution with root privileges on the firewall. Patches for CVE-2024-3400 have been made available for some impacted versions as of April 14, 2024.

Palo Alto Networks states that CVE-2024-3400 can be exploited in the wild in a series of cyber attacks. Volexity researchers track related adversaries under the alias UTA0218. Attackers can weaponize the flaw within GlobalProtect by remotely exploiting the firewall device, establishing a reverse shell, and downloading additional tools onto the compromised device, like a Golang-based tunneling utility dubbed GOST.

Over the course of the CVE-2024-3400 investigation, Volexity has observed attackers’ attempts to implant a Python backdoor, dubbed UPSTYLE, on the firewall. The malware facilitates the execution of supplementary commands on the device through meticulously crafted network requests. 

Upon successful CVE-2024-3400 exploitation, UTA0218 adversaries download an additional offensive toolkit from their remote servers to spread the infection further. They apply lateral movement, proceed with extracting sensitive data, and potentially rely on reconnaissance activity to detect systems exposed to attacks. 

As CVE-2024-3400 mitigation steps, defenders recommend promptly updating the vendor-provided patch. The vendor also advises customers with a Threat Prevention subscription to thwart attacks weaponizing the flaw by employing Threat IDs 95187, 95189, and 95191 while ensuring that vulnerability protection measures have been implemented. Palo Alto Networks has also crafted a specific CLI command for users to instantly check for any signs of intrusions, which can be found in the related vendor advisory. 

With the CVE-2024-3400 PoC code public disclosure and increasing risks of in-the-wild attacks, the newly uncovered zero-day vulnerability requires ultra-responsiveness from defenders. SOC Prime’s Attack Detective offers a proactive SaaS solution to continuously risk-optimize the organization’s cybersecurity posture with automated detection stack validation and advanced threat hunting capabilities, enabling teams to investigate incidents rather than never-ending streams of alerts and efficiently reduce blind spots in detection coverage.