Skip to content
    Search

    On April 12, 2024, Palo Alto Networks issued a security advisory regarding a critical vulnerability (CVE-2024-3400) in the PAN-OS software used in its GlobalProtect gateways. CVE-2024-3400 has a CVSS (Common Vulnerability Scoring System) v4.0 score of 10.0, indicating maximum severity, and is reportedly being actively exploited.

    Successful exploitation of the command injection vulnerability in the GlobalProtect feature could enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. 

    Impact and Recommendations

    The vulnerability affects PAN-OS versions 11.1 (prior to 11.1.2-h3), 11.0 (prior to 11.0.4-h1), and 10.2 (prior to 10.2.9-h1) that have configurations for both GlobalProtect gateway and device telemetry enabled.

    This vulnerability reportedly does not impact all other versions of PAN-OS, Cloud NGFW, Panorama appliances, or Prisma Access.

    Palo Alto Networks is developing fixes for PAN-OS 10.2, 11.0, and 11.1, which are expected to be released by April 14, 2024.

    In the meantime, users and administrators with Palo Alto Networks Threat Prevention Subscription are advised to enable Threat ID 95187 and ensure vulnerability protection has been applied to their GlobalProtect interface.

    How Can Customers Use Axonius to Detect CVE-2024-3400

    The Axonius Platform helps organizations identify, prioritize, and remediate vulnerabilities across their entire digital infrastructure, providing context that helps security and IT teams prioritize vulnerability based on asset criticality. This allows organizations to expedite patching and remediation processes. 

    To identify instances of CVE-2024-3400, Axonius customers can start with the platform's Assets module. The Assets module helps discover the impacted assets before the dedicated Vulnerability Assessment solution can detect the vulnerability. 

    By using a device query customers can identify the affected devices in the following ways: 

    1. Searching for devices using affected versions of PanOS 10.2, 11.0, 11.1

    (Avoided preferred field because it could be Linux)

    Platform screenshot depicting searching for devices using affected versions of PanOS 10.2, 11.0, 11.1

    AQL: 

    (("specific_data.data.os.type_distribution" == regex("^PanOS 10\.2", "i")) and not ("specific_data.data.os.type_distribution" == regex("^PanOS 10\.2\.9\-h1", "i"))) or (("specific_data.data.os.type_distribution" == regex("^PanOS 11\.0", "i")) and not ("specific_data.data.os.type_distribution" == regex("^PanOS 11\.0\.4\-h1", "i"))) or (("specific_data.data.os.type_distribution" == regex("^PanOS 11\.1", "i")) and not ("specific_data.data.os.type_distribution" == regex("^PanOS 11\.1\.2\-h3", "i")))

    1. Searching for devices found in vulnerability assessment.

    AQL: 

    ("specific_data.data.software_cves" == match([("cve_id" == "CVE-2024-3094")]))

    Explore the ins and outs of the Axonius Platform — no strings attached. Take our self-serve, interactive product tour now.

    Researching Reported CVE with the Axonius Vulnerability Management Module

    The Axonius Vulnerability Management Module addresses vulnerability management issues head-on. It delivers automated visibility into cybersecurity vulnerabilities, and offers a holistic view of threats, allowing IT and security teams to identify vulnerabilities across entire fleets of devices, and prioritize and remediate vulnerabilities based on their urgency and importance. The Vulnerability Repository page within the module provides an overview of all known vulnerabilities even those not detected in the environment, helping track and assign a vulnerability before it is detected and create automated tracking or remediation steps once vulnerability status changes to detected. 

    Axonius customers can use the Vulnerability Management module to identify instances of CVE-2024-3400.

    1. Search for active vulnerabilities with Vuln ID CVE-2024-3400

    Axonius screenshot depicting a search for active vulnerabilities with Vuln ID CVE-2024-3400

    AQL:

    {"vulnerabilities":"(\"specific_data.data.cve_id\" == \"CVE-2024-3400\")","devices":""}

    1. Use the Vulnerability Repository page to find CVE-2024-3400

    AQL:

    {"vulnerabilities":"(\"specific_data.data.cve_id\" == \"CVE-2024-3400\")","devices":""}

    Automating Alerts with Axonius Findings

    Axonius Findings supports all query and entity types — assets and system events. The Rules Manager allows customers to alert teammates, executives, other business units and collaborators, and more based on single query criteria thresholds, query comparisons, or timeline comparisons. 

    Axonius customers can set up alerts and leverage the Axonius Platform to help their remediation teams stay informed whenever new instances of affected assets are identified. They can also get notified via communication channels of their choice (e.g., email, Slack, etc.).

    Axonius screenshot depicting Axonius Findings

    For more documentation on using Axonius to find systems impacted by CVEs, visit docs.axonius.com.

    And don’t forget to stay tuned. News regarding CVE-2024-3400 is evolving, so we’ll update this blog post if we have additional details or guidance to share.

    In the meantime, learn how the Axonius Platform gives you the actionable asset visibility and context to conquer CVE-2024-3400 and beyond. Schedule a customized demo now.

    Sign up to get first access to our latest resources