CVE-2024-3400: Inside the Palo Alto Firewall Zero-Day Exploitation
Cybersecurity
A command injection flaw in Palo Alto PAN-OS GlobalProtect allowed unauthenticated remote code execution as root. Threat actor UTA0218 weaponized the bug before a patch existed.
By Arjun Raghavan, Security & Systems Lead, BIPI · November 1, 2024 · 9 min read
CVE-2024-3400 is a command injection vulnerability in the GlobalProtect Gateway feature of Palo Alto Networks PAN-OS. Assigned a CVSS 3.1 base score of 10.0, it permits an unauthenticated attacker to execute arbitrary OS commands with root privileges on the affected firewall. Volexity discovered active exploitation in mid-April 2024, and Palo Alto confirmed zero-day status the same day.
Vulnerability Mechanics: Two Bugs Chained Together
The root cause is a combination of an arbitrary file creation issue (in session ID handling) and an OS command injection sink (in scheduled job processing). The GlobalProtect Gateway accepts a session cookie whose value is written to disk without sanitization. An attacker crafts a session ID containing shell metacharacters; that value is later interpolated into a cron-style job invocation, executing arbitrary commands. Neither step alone is exploitable, but the chain yields unauthenticated RCE as root.
Affected Versions
- PAN-OS 10.2 prior to 10.2.9-h1
- PAN-OS 11.0 prior to 11.0.4-h1
- PAN-OS 11.1 prior to 11.1.2-h3
- Cloud NGFW and Panorama are NOT affected
- Telemetry must be enabled for the write-path to be reachable (enabled by default)
Threat Actor UTA0218
Volexity attributed exploitation to a cluster it tracks as UTA0218, assessed with moderate confidence to be a state-sponsored actor. The group deployed a Python-based implant named UPSTYLE on compromised firewalls. UPSTYLE hooks into the nginx process running on the device, allowing the actor to issue backdoor commands over existing HTTPS traffic, making the implant exceptionally difficult to detect with standard network monitoring.
Exploitation Timeline
- March 26, 2024: First evidence of exploitation in Volexity telemetry
- April 10, 2024: Volexity notifies Palo Alto Networks
- April 12, 2024: Palo Alto publishes advisory with CVE-2024-3400 assigned
- April 14, 2024: Hotfix patches released for PAN-OS 10.2, 11.0, and 11.1
- April 16, 2024: PoC code begins circulating on public repositories
- April 19, 2024: CISA adds to Known Exploited Vulnerabilities catalog
UTA0218 deployed the UPSTYLE implant inside the PAN-OS nginx process, hiding C2 traffic inside legitimate HTTPS sessions already passing through the firewall.
Post-Exploitation Observed Behavior
- Exfiltration of firewall configuration including credentials
- Lateral movement to internal hosts via stolen VPN credentials
- Deployment of additional tooling from actor-controlled infrastructure
- Modification of firewall filesystem to persist UPSTYLE across reboots
Detection: Log Artifacts to Hunt
Defenders should query GlobalProtect logs for session IDs containing shell metacharacters: semicolons, backticks, pipe characters, or dollar signs embedded in the session cookie field. Palo Alto's Threat Prevention signature ID 95187 blocks known exploit attempts. Unexpected outbound connections from the management plane or nginx process are a high-fidelity indicator of UPSTYLE presence.
Immediate Mitigations Before Patching
- Disable device telemetry (Device > Setup > Telemetry) as a temporary workaround
- Apply Threat Prevention rule to block the exploit if license is active
- Restrict GlobalProtect management access to known source IPs
- Apply the hotfix as the only complete remediation
- Enable integrity monitoring on appliance file systems
- Feed PAN-OS system logs to SIEM with alerting on process anomalies
- Subscribe to vendor security advisories with RSS or email push
- Maintain an emergency patching playbook specifically for perimeter devices
Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.