Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - File Creation

calendar Apr 25, 2024 · attack.execution cve.2024.3400 detection.emerging_threats  ·
Share on: linkedin copy

Detects suspicious file creations in the Palo Alto Networks PAN-OS' parent telemetry folder, which are processed by the vulnerable 'dt_curl' script if device telemetry is enabled. As said script overrides the shell-subprocess restriction, arbitrary command execution may occur by carefully crafting filenames that are escaped through this function.

Sigma rule (View on GitHub)

 1title: Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - File Creation
 2id: bcd95697-e3e7-4c6f-8584-8e3503e6929f
 3status: experimental
 4description: |
 5    Detects suspicious file creations in the Palo Alto Networks PAN-OS' parent telemetry folder, which are processed by the vulnerable 'dt_curl' script if device telemetry is enabled.
 6    As said script overrides the shell-subprocess restriction, arbitrary command execution may occur by carefully crafting filenames that are escaped through this function.    
 7references:
 8    - https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/
 9    - https://nvd.nist.gov/vuln/detail/CVE-2024-3400
10author: Andreas Braathen (mnemonic.io)
11date: 2024/04/25
12tags:
13    - attack.execution
14    - cve.2024.3400
15    - detection.emerging_threats
16logsource:
17    product: paloalto
18    service: globalprotect
19    category: file_event
20    definition: 'Requirements: file creation events need to be ingested from the Palo Alto GlobalProtect appliance'
21detection:
22    selection:
23        TargetFilename|contains:
24            - '{IFS}'
25            - 'base64'
26            - 'bash'
27            - 'curl'
28            - 'http'
29        TargetFilename|startswith: '/opt/panlogs/tmp/device_telemetry/'
30    condition: selection
31falsepositives:
32    - The PAN-OS device telemetry function does not enforce a standard filename convention, but observations are unlikely.
33level: medium

References

  • Palo Alto - Putting The Protecc In GlobalProtect (CVE-2024-3400)

    Welcome to April 2024, again. We’re back, again. Over the weekend, we were all greeted by now-familiar news—a nation-state was exploiting a “sophisticated” vulnerability for full compromise in yet another enterprise-grade SSLVPN device. We’ve seen all the commentary around the certification process of these devices for certain


    Read More

  • NVD - CVE-2024-3400

    CVE-2024-3400 Detail Description A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS vers...


    Read More

Related rules

to-top