Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection

 1title: Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection
 2id: f130a5f1-73ba-42f0-bf1e-b66a8361cb8f
 3status: experimental
 4description: |
 5    Detects potential exploitation attempts of CVE-2024-3400 - an OS command injection in Palo Alto GlobalProtect.
 6    This detection looks for suspicious strings that indicate a potential directory traversal attempt or command injection.    
 7references:
 8    - https://security.paloaltonetworks.com/CVE-2024-3400
 9    - https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/
10    - https://attackerkb.com/topics/SSTk336Tmf/cve-2024-3400/rapid7-analysis
11author: Nasreddine Bencherchali (Nextron Systems)
12date: 2024/04/18
13modified: 2024/04/25
14tags:
15    - attack.initial_access
16    - attack.persistence
17    - attack.privilege_escalation
18    - attack.defense_evasion
19    - cve.2024.3400
20logsource:
21    category: appliance
22    product: paloalto
23    service: globalprotect
24    definition: 'Requirements: Palo Alto GlobalProtect "mp-log" and "gpsvc.log" log files need to be ingested'
25detection:
26    keywords_generic:
27        - 'failed to unmarshal session(../'
28        - 'failed to unmarshal session(./../'
29        - 'failed to unmarshal session(/..'
30        - 'failed to unmarshal session(%2E%2E%2F'
31        - 'failed to unmarshal session(%2F%2E%2E'
32        - 'failed to unmarshal session(%2E%2F%2E%2E%2F'
33        - 'failed to unmarshal session(%252E%252E%252F'
34        - 'failed to unmarshal session(%252F%252E%252E'
35        - 'failed to unmarshal session(%252E%252F%252E%252E%252F'
36    keywords_telemetry_exploit:
37        - '{IFS}'
38        - 'base64'
39        - 'bash'
40        - 'curl'
41        - 'http'
42    keywords_telemetry_path:
43        - '/opt/panlogs/tmp/device_telemetry/'
44    condition: keywords_generic or all of keywords_telemetry_*
45falsepositives:
46    - Unknown
47level: high

References

• CVE-2024-3400 PAN-OS: Arbitrary File Creation Leads to OS Command Injection Vulnerability in GlobalProtect

  

  A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurat...

  
  Read More

• Palo Alto - Putting The Protecc In GlobalProtect (CVE-2024-3400)

  

  Welcome to April 2024, again. We’re back, again. Over the weekend, we were all greeted by now-familiar news—a nation-state was exploiting a “sophisticated” vulnerability for full compromise in yet another enterprise-grade SSLVPN device. We’ve seen all the commentary around the certification process of these devices for certain

  
  Read More

• CVE-2024-3400 | AttackerKB

  

  On April 12, 2024, Palo Alto Networks published an advisory for a critical unauthenticated command injection vulnerability affecting several recent versions of…

  
  Read More

Related rules

• Github New Secret Created
• Github Self Hosted Runner Changes Detected
• Password Provided In Command Line Of Net.EXE
• Cisco BGP Authentication Failures
• Cisco LDP Authentication Failures