• itscybernews
  • Posts
  • How to Exploit Critical Vulnerability in Palo Alto Devices

How to Exploit Critical Vulnerability in Palo Alto Devices

CVE-2024-3400 Proof of Concept

In partnership with

Instantly calculate the time you can save by automating compliance

Whether you’re starting or scaling your security program, Vanta helps you automate compliance across frameworks like SOC 2, ISO 27001, ISO 42001, HIPAA, HITRUST CSF, NIST AI, and more.

Plus, you can streamline security reviews by automating questionnaires and demonstrating your security posture with a customer-facing Trust Center, all powered by Vanta AI.

Instantly calculate how much time you can save with Vanta.

CVE-2024-3400 Proof of Concept

How to Exploit Critical Vulnerability in Palo Alto Devices

On April 12, 2024, Palo Alto Networks published an advisory regarding a critical unauthenticated command injection vulnerability affecting several recent versions of PAN-OS, the software that runs on most modern Palo Alto Networks firewall appliances. According to the vendor advisory, CVE-2024-3400 requires that either GlobalProtect Portal or GlobalProtect Gateway be enabled. GlobalProtect is the VPN feature of PAN-OS, and as such, the vulnerable components are expected to be internet-facing.

Update on Advisory

Initially, the vendor advisory indicated that device telemetry needed to be enabled in addition to GlobalProtect Portal or Gateway. However, as of April 16, the advisory has been updated to note that “Device telemetry does not need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability.” Therefore, disabling device telemetry is no longer considered an effective mitigation.

Discovery and Exploitation

CVE-2024-3400 was discovered by the security firm Volexity, which detected in-the-wild zero-day exploitation around April 10, 2024. Both Volexity and Palo Alto Networks have extensive blog posts available with attacker behavior observations and indicators of compromise (IOCs).

Detailed Analysis by Rapid7

Rapid7’s analysis identified that the exploit is an exploit chain consisting of two distinct vulnerabilities: an arbitrary file creation vulnerability in the GlobalProtect web server, for which no discrete CVE has been assigned, and a command injection vulnerability in the device telemetry feature, designated as CVE-2024-3400. If device telemetry is disabled, it is still possible to leverage the file creation vulnerability; however, Rapid7 has not identified an alternative way to leverage the file creation vulnerability for successful exploitation.

Rooting the Device

Out of the box, PAN-OS implements a limited command-line administrator management shell for console and SSH. To perform comprehensive dynamic testing, root access to the device is required. Boot-time integrity checks are performed for many parts of the file system, preventing common easy backdoor tactics like modification of /etc/passwd. However, the /var directory isn’t checked for integrity on boot, which can be exploited.

Since /var/appweb/htdocs contains the primary PHP web server files, it can be tampered with and leveraged for code execution as the nobody user. The steps include:

  1. Mounting the VMDK virtual machine disk to an Ubuntu system.

  2. Dropping a web shell in the /var/appweb/htdocs/unauth/php directory.

  3. Compiling and placing a statically linked SUID binary called root in the same directory.

Starting the Palo Alto Networks VM and browsing to https://hostname/unauth/php/backdoor.php yields a web shell that can be used to execute commands as root.

Analysts at AttackerKB executed ./root 'sed -i -e s@/opt/pancfg/home/admin:/usr/local/bin/cli@/opt/pancfg/home/admin:/bin/bash@g /etc/passwd' and snapshot the virtual machine to skip start-up integrity checks. Finally, they authenticated the machine via SSH to confirm their regular shell was working.

Diffing the Patch

By installing a vulnerable PAN-OS 10.2.9 in a VM and taking a snapshot, then updating the VM to the patched version 10.2.9-h1 and taking another snapshot, analysts at AttackerKB analyzed the underlying hard disk images for each version. The partition sysroot0 contains the file system contents they wanted to analyze.

Knowing that either GlobalProtect Portal or GlobalProtect Gateway is required for exploitation, they located the GlobalProtect service binary /usr/local/bin/gpsvc. This binary services the HTTP requests for both the Portal and Gateway via an NGINX front end that proxies incoming requests to this internal service. The NGINX configuration is found in /etc/nginx/sslvpm/location.conf.

The gpsvc is written in Go, and using a tool like BinDiff, they found a small change to the service.

The patched version of gpsvc adds a single function main_isValidSessionId. This function is used to ensure a session ID value (provided by an incoming HTTP request) is a valid UUID value, as shown below:

The main_isValidSessionId function is called by main__ptr_SessDiskStore_New and will extract an HTTP request’s session ID value from the SESSID HTTP cookie. It will then verify that the session ID value is a UUID before either creating a new session file on disk using the value or loading an existing session from disk if one already exists. If the session ID is not a UUID value, an “invalid session id” message is logged. Therefore, it can be speculated that in a vulnerable version of PAN-OS, an attacker-controlled session ID can contain arbitrary values that are not a valid UUID and that these may be written to disk when creating a new session for the incoming request.

Get smarter about crypto with MilkRoad’s 5 minute daily newsletter, read by 290,000+ people. Subscribe for free!

Identifying the Command Injection Vulnerability

Analysts at AttackerKB examined the programs that perform the device telemetry feature. These include:

  • /usr/local/bin/devicetelemetry

  • /usr/local/bin/telemetry_collection.py

  • /etc/device_telemetry/cfg_telem.yaml

  • /usr/local/bin/dt_send

  • /usr/local/bin/dt_curl

They identified dt_curl as containing several modifications to prevent command injection. By comparing the vulnerable and patched versions of send_file, they found that a command string is constructed to execute the cURL binary in order to upload a file to a server, and this command string is passed to the pansys function to execute the command. The patched version changed the shell parameter to False, preventing command injection.

The pansys function, found in /usr/lib64/python3.6/site-packages/pansys/pansys.py, is responsible for executing commands via subprocess.Popen.

When the shell parameter is True, the command string is executed in the context of a Linux shell, making it vulnerable to command injection.

If you want to start your own newsletter and want to start earning straight away, please feel free to use my affiliate link here.

Arbitrary File Creation

The gpsvc GlobalProtect application serves an HTTPS service on port 443. The web server sets a SESSID cookie for unauthenticated sessions, and the data affiliated with the session cookie is placed in /tmp/sslvpn.

By sending different data within the SESSID cookie, arbitrary files can be created:

This results in a file named session_test_data in the /tmp/sslvpn directory. By using directory traversal sequences, files can be created anywhere on the file system:

Command Injection Exploitation

With the ability to create arbitrary files and a command injection vulnerability in the telemetry service, analysts at AttackerKB demonstrated remote code execution. The telemetry service runs hourly, processing files in specific directories and including the file names in a cURL request. By crafting a payload in the SESSID cookie value, remote code execution can be triggered:

After a short wait, remote code execution is established:

On the attackers machine, a Python web server receives a GET request indicating the code was executed with root privileges.

Indicators of Compromise (IOCs)

Successful exploitation may leave artifacts in several folders and log files used by PAN-OS.

  • NGINX logs: /var/log/nginx/sslvpn_access.log will contain logs of HTTP requests with associated client IP addresses.

  • PAN logs: /var/log/pan/sslvpn-access/sslvpn-access.log will also log HTTP requests.

  • Telemetry directories: Suspicious 0-length files in /opt/panlogs/tmp/device_telemetry/ directories.

  • Telemetry send log: /var/log/pan/device_telemetry_send.log will show injected commands.


The following versions of PAN-OS are listed as vulnerable as of April 16, 2024. Notably, Palo Alto Networks has updated the advisory with additional vulnerable versions since releasing the original advisory on CVE-2024-3400.

  • PAN-OS 11.1 (before 11.1.2-h3)

  • PAN-OS 11.0 (before 11.0.4-h1)

  • PAN-OS 10.2 (before 10.2.7-h8, before 10.2.8-h3, before 10.2.9-h1)

Patches are available from the vendor and should be applied on an urgent basis. If patching is not possible, Rapid7 strongly recommends applying one of the vendor-supplied mitigations on an emergency basis. Please see the vendor advisory for further information.