Exploit code for Palo Alto Networks zero-day now public

Various infosec researchers have released proof-of-concept (PoC) exploits for the maximum-severity vulnerability in Palo Alto Networks’ PAN-OS used in GlobalProtect gateways.

The PoCs started rolling out just a day after the vendor began releasing hotfixes for the issue on Monday. Researchers have echoed previous warnings about how easy the vulnerability is to use in attacks, and said that many organizations could be compromised as a result.

Cybersecurity biz watchTowr Labs was the first to release a detailed analysis of CVE-2024-3400, along with a PoC, despite cheekily saying it no longer releases them.

Rapid7 rolled out its own soon after, explaining that a successful exploit is actually dependent on a chain of two vulnerabilities: CVE-2024-3400 and one that hasn’t yet been assigned a CVE.

Before command injection can be achieved, researchers demonstrated that an attacker must be able to create arbitrary files. 

They showed that a file can be created by feeding the server a SESSID cookie with custom data after using an old-school directory traversal trick (../..) to create a directory structure. 

This is only enough to create an empty file, with a custom file name suitable for command injection, on the file system as root, and isn’t enough to drop malicious code on its own. 

This, combined with the command injection vulnerability (CVE-2024-3400) in GlobalProtect’s telemetry service, is what allows attackers to achieve remote code execution.

“To trigger remote code execution, we perform an unauthenticated cURL request to the GlobalProtect web server with a crafted payload in the SESSID cookie value,” Rapid7’s analysis says. 

“When the server executes its telemetry transmission process once per hour, the payload will be executed and removed from the telemetry directory.

“After a short wait, we can establish remote code execution. On the attacker machine, a Python web server receives a GET request that indicates our code was executed with root privileges.”

Justin Elze, CTO at TrustedSec, posted an example exploit he spotted being used in a real-world incident.

Both analyses from watchTowr and Rapid7, plus the exploit shared by Elze, are dependent on GlobalProtect’s device telemetry being enabled.

On Tuesday – the day after Palo Alto Networks began releasing hotfixes, and on the same day researchers released their writeups – the vendor then updated its official advisory to say that the vulnerability is exploitable regardless of whether telemetry is enabled or not.

Prior to this update, disabling telemetry was one of the official, secondary suggested mitigations for users while they waited for patches. It now seems as though there are multiple ways to skin this cat, but details about the telemetry-less exploit aren’t publicly available from what we can see.

Researchers have predicted that mass exploitation will likely start given that PoCs are now published and relatively straightforward to execute.

Data from internet monitorer Shadowserver shows around 156,000 public-facing GlobalProtect appliances every day, and soon it plans to include figures on how many of these are still vulnerable.

Considering that disabling GlobalProtect device telemetry is no longer effective at mitigating attacks, and the severity of the issue, users are strongly urged to apply the available patches as soon as possible.

Plus, CVE-2024-3400 was already being exploited as a zero-day before all the information became available – another reason not to hang around.

The same advice goes for US federal agencies which were given a seven-day deadline to protect their appliances by April 19 after CISA added the vulnerability to its Known Exploited Vulnerabilities (KEV) list.

Users who have a Threat Prevention subscription with Palo Alto Networks can also block attacks using Threat IDs 95187, 95189, and 95191 which are available via the Applications and Threats content. ®

READ MORE HERE