TL;DR

Attackers are actively exploiting a vulnerability in some versions of Palo Alto Networks’s PAN-OS for GlobalProtect. The vulnerability allows an attacker to execute code with root privileges on the firewall. Expel recommends taking immediate action if you are operating a vulnerable device.

 

The details:

On April 12, 2024, PaloAlto Networks disclosed that a critical vulnerability (CVSS 10/10) was actively being exploited. 

 

The vulnerability impacts the following PAN-OS versions:

  • 10.2.x
  • 11.0.x
  • 11.1.x

The vulnerability also requires both the GlobalProtect gateway and device telemetry to be enabled.

 

Fixes for vulnerable PAN-OS versions are in development and are expected to be released by April 14, 2024.

 

Expel is monitoring the situation closely and will continue to keep you updated. We also recommend following along with Palo Alto's vulnerability notification page.

 

Recommendations from Palo Alto:

  • Customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 95187 (introduced in Applications and Threats content version 8833-8682).
  • If you are unable to apply the Threat Prevention based mitigation at this time, you can still mitigate the impact of this vulnerability by temporarily disabling device telemetry until the device is upgraded to a fixed PAN-OS version. Once upgraded, device telemetry should be re-enabled on the device. How to disable telemetry on PAN devices

 

Reference:

https://security.paloaltonetworks.com/CVE-2024-3400