Nynox advisory - Threat alert -

XZ Utils

– Date: 12th of April –

📢 Threat Alert – PAN GlobalProtect Gateway – A critical zero-day vulnerability of the GlobalProtect firewall has been exploited in the wild since March. Please path as soon as you can!

Palo Alto Networks published a security advisory that a critical zero-day vulnerability (CVE-2024-3400) has been found with a severity of 10.0 in the GlobalProtect Gateway firewall.

What’s going on?

⚠️ An unauthenticated attacker can execute arbitrary code with root privileges via a command injection attack on the firewall.
⚠️ It is only applicable to firewalls that have the configurations for both GlobalProtect gateway (Network > GlobalProtect > Gateways). Device telemetry does not need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability.

⚠️ The vulnerable versions are:
PAN-OS < 11.1.2-h3
PAN-OS < 11.0.4-h1
PAN-OS < 10.2.9-h1

Threat alert - PAN GlobalProtect Gateway

❗It gives anyone power over one of your most critical piece of IT-infrastructure.
❗Palo Alto is aware of this zero-day being used in the wild in a limited number of attacks.
❗Not all versions have an available patched fix yet.

How does Nynox protect its customers?

🛡️ Free threat hunting based on the indicators for this attack

🛡️ Personalized assistance to mitigate the risk

🛡️ 24×7 Incident Response (CSIRT)

🛡️ 24×7 monitoring of customer environments


✅ Patch to the latest available version. A list can be found here:

PAN-OS 10.2:
10.2.9-h1 (Released 4/14/24)
10.2.8-h3 (Released 4/15/24)
10.2.7-h8 (Released 4/15/24)
10.2.6-h3 (ETA: 4/16/24)
10.2.5-h6 (ETA: 4/16/24)
10.2.3-h13 (ETA: 4/17/24)
10.2.1-h2 (ETA: 4/17/24)
10.2.2-h5 (ETA: 4/18/24)
10.2.0-h3 (ETA: 4/18/24)
10.2.4-h16 (ETA: 4/19/24)

PAN-OS 11.0:
11.0.4-h1 (Released 4/14/24)
11.0.3-h10 (ETA: 4/16/24)
11.0.2-h4 (ETA: 4/16/24)
11.0.1-h4 (ETA: 4/17/24)
11.0.0-h3 (ETA: 4/18/24)

PAN-OS 11.1:
11.1.2-h3 (Released 4/14/24)
11.1.1-h1 (ETA: 4/16/24)
11.1.0-h3 (ETA: 4/17/24)

But what if you can’t?

✅ Customers with a Threat Prevention subscription can block attacks for this vulnerability using Threat ID 95187, 95189, and 95191 (available in Applications and Threats content version 8833-8682 and later). Vulnerability protection is a requirement to apply the threat ID.

✅ In an earlier version of Palo Alto’s advisory, disabling device telemetry was listed as a secondary mitigation action. Disabling device telemetry is no longer an effective mitigation. Device telemetry does not need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability.

But what if yOu can’t? 

Remove all USB controllers from the Virtual Machine, disabling USB passthrough functionality, and rendering virtual USB devices inaccessible.

Default keyboard and mouse input devices remain unaffected because they operate independently of the USB protocol.

In need of assistent? We're here for you!
Our Latest insights