Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - File Creation

Detects suspicious file creations in the Palo Alto Networks PAN-OS' parent telemetry folder, which are processed by the vulnerable 'dt_curl' script if device telemetry is enabled. As said script overrides the shell-subprocess restriction, arbitrary command execution may occur by carefully crafting filenames that are escaped through this function.

Sigma rule (View on GitHub)

 1title: Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - File Creation
 2id: bcd95697-e3e7-4c6f-8584-8e3503e6929f
 3status: experimental
 4description: |
 5    Detects suspicious file creations in the Palo Alto Networks PAN-OS' parent telemetry folder, which are processed by the vulnerable 'dt_curl' script if device telemetry is enabled.
 6    As said script overrides the shell-subprocess restriction, arbitrary command execution may occur by carefully crafting filenames that are escaped through this function.    
 7references:
 8    - https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/
 9    - https://nvd.nist.gov/vuln/detail/CVE-2024-3400
10author: Andreas Braathen (mnemonic.io)
11date: 2024-04-25
12tags:
13    - attack.execution
14    - cve.2024-3400
15    - detection.emerging-threats
16logsource:
17    product: paloalto
18    service: globalprotect
19    category: file_event
20    definition: 'Requirements: file creation events need to be ingested from the Palo Alto GlobalProtect appliance'
21detection:
22    selection:
23        TargetFilename|contains:
24            - '{IFS}'
25            - 'base64'
26            - 'bash'
27            - 'curl'
28            - 'http'
29        TargetFilename|startswith: '/opt/panlogs/tmp/device_telemetry/'
30    condition: selection
31falsepositives:
32    - The PAN-OS device telemetry function does not enforce a standard filename convention, but observations are unlikely.
33level: medium

References

Related rules

to-top