The Download
It's a recurring theme: your security gateways/VPNs are creating their own security problems for your networks. We saw this earlier with Ivanti and Fortinet. Now Palo Alto Networks announced a critical vulnerability (10/10) in PAN OS running in PANW Global Protect "may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewal." Palo Alto Networks acknowledged active exploitation of the vulnerability.
The vulnerability, tracked as CVE-2024-3400, affects PAN OS v10.2, 11.0 and 11.1 in Global Protect. Unfortunately, PANW does not have a fix for the vulnerability out as of April 12th. Palo Alto recommends temporarily disabling device telemetry in PAN OS until the hotfix for PAN-OS comes through (as early as Sunday April 14).
What You Can Do
Given the severity, exploitation, and lack of mitigation, we recommend disabling Global Protect if at all feasible. Palo Alto notes if you have a subscription to their Threat Prevention service, attacks can be blocked by enabling Threat ID 95187. Yes, you got that right: subscribe to another product to block attacks against their other product.
Given the prepondurance of vulnerabilities and attacks against gateway/VPN software, it is important to realize that these security products are a significant attack surface on your internet facing attack surface. A good defense is active scanning and pen testing of these attack surfaces.
To Learn More: