Palo Alto Updates Remediation for Max-Critical Firewall Bug

Though PAN originally described the attacks exploiting the vulnerability as being limited, they are increasingly growing in volume, with more exploits disclosed by outside parties.

Dark Reading Staff, Dark Reading

April 26, 2024

2 Min Read
Palo Alto Networks logo on a smartphone with a red background behind the phone
Source: SOPA Images Limited via Alamy Stock Photo

Palo Alto Networks (PAN) is sharing updated remediation information regarding a max-critical vulnerability that is actively being exploited in the wild.

The vulnerability, tracked as CVE-2024-3400, has a CVSS vulnerability-severity score of 10 out of 10, and can allow an unauthenticated threat actor to execute arbitrary code with root privileges on the firewall device, according to the update.

Present in PAN-OS 10.2, 11.0, and 11.1, the flaw was originally disclosed on April 12 after being discovered by researchers at Volexity.

PAN said that the number of attacks exploiting this vulnerability continue to grow and that "proof of concepts for this vulnerability have been publicly disclosed by third parties."

The company is recommending that customers upgrade to a fixed version of PAN-OS, such as PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and all later PAN-OS versions, as this will fully protect their devices. PAN has also released additional hotfixes for other deployed maintenance releases.

PAN recommends that in order to mitigate the issue fully, customers should take actions based on suspected activity. For instance, if there has been probing or testing activity, users should update to the latest PAN-OS hotfix, and secure running-configs, create a master key and elect AES-256-GCM. This is defined as there being either no indication of a compromise, or evidence that the vulnerability being tested for on the device (i.e., a 0-byte file has been created and is resident on the firewall, but there's no indication of any known unauthorized command execution).

"PAN-OS hotfixes sufficiently fix the vulnerability," according to the update. "Private data reset or factory reset is not suggested as there is no indication of any known unauthorized command execution or exfiltration of files."

However, if a file on the device has been copied to a location accessible via a Web request (in most cases, the file being copied is running_config.xml, according to PAN), users should perform a private data reset, which eliminates risks of potential misuse of device data. And if there's evidence of interactive command execution (i.e., the presence of shell-based back doors, introduction of code, pulling files, running commands), PAN suggested doing a full factory reset.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights