DETECTION OVERVIEW

Palo Alto Networks PAN-OS File Creation - CVE-2024-3400

Risk Factors

Palo Alto Networks PAN-OS devices with the GlobalProtect VPN feature include vulnerabilities that have been exploited by threat actors. Exploit code is publicly available, which makes the process of exploiting chained vulnerabilities easier for the attacker. An unauthenticated attacker can run arbitrary code with root privileges to gain control of a PAN-OS device and launch additional attacks on the network.

Kill Chain

Exploitation

Risk Score

Attack Background

The GlobalProtect VPN feature of Palo Alto Networks PAN-OS has a vulnerability that enables an attacker to create an empty file on the vulnerable system with an embedded command in the filename. This vulnerability can be chained with a command injection vulnerability (CVE-2024-3400), which leads to remote code execution (RCE) with root privileges. To create an empty file, an unauthenticated attacker sends a specially designed HTTP request that contains a malicious shell command instead of a valid SESSID cookie to the GlobalProtect web server. As a result, the GlobalProtect web server creates an empty file on the system with the malicious command as the filename.

Mitigation Options

Upgrade to PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3 or later PAN-OS versions

MITRE ATT&CK ID

T1190

Professional Services

Partners

Partner Login

Partner Finder

View All Use Cases

View All Industries

View All Integrations

Attack Background

Mitigation Options

MITRE ATT&CK ID

What else can RevealX do for you?

View our Periodic Table of use cases