Full Report
Palo Alto Networks has published [1] information on CVE-2024-3400 in PAN-OS. This advisory addresses Siemens Industrial products affected by this vulnerability. Siemens has released a new version of Palo Alto Networks Virtual NGFW for RUGGEDCOM APE1808 and recommends to update to the latest version. Customers are advised to consult and implement the workarounds provided in Palo Alto Networks’ upstream security notifications. [1] https://security.paloaltonetworks.com/CVE-2024-3400
Analysis Summary
# Vulnerability: PAN-OS GlobalProtect Command Injection Leading to Root Code Execution
## CVE Details
- CVE ID: CVE-2024-3400
- CVSS Score: 10.0 (Critical) (Based on CVSS v3.1 and v4.0 reporting a base score of 10.0)
- CWE: CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
## Affected Systems
- Products: Siemens RUGGEDCOM APE1808 running Palo Alto Networks Virtual NGFW. (Note: The upstream vulnerability affects PAN-OS software.)
- Versions: All versions of RUGGEDCOM APE1808 configured with Palo Alto Networks Virtual NGFW that also have the GlobalProtect gateway and/or GlobalProtect portal feature enabled.
- Configurations: Only when GlobalProtect gateway or GlobalProtect portal (or both) are configured.
## Vulnerability Description
CVE-2024-3400 is a command injection vulnerability stemming from arbitrary file creation within the GlobalProtect feature of Palo Alto Networks PAN-OS software. This flaw may allow an unauthenticated remote attacker to execute arbitrary code with root privileges on the affected firewall.
## Exploitation
- Status: The CVSS vector indicates High Exploitation Likelihood (E:H) in the base metric set provided for CVE-2024-3400 (consulting the upstream advisory for specific exploitation status is recommended, likely indicating known exploitation).
- Complexity: Low (AC:L, PR:N, UI:N)
- Attack Vector: Network (AV:N)
## Impact
- Confidentiality: High (C:H)
- Integrity: High (I:H)
- Availability: High (A:H)
## Remediation
### Patches
- Upgrade Palo Alto Networks Virtual NGFW to **V11.1.2-h3** on RUGGEDCOM APE1808 devices. Customers must contact relevant support channels to receive the official patch and update information.
### Workarounds
1. **Disable GlobalProtect:** Disable both the GlobalProtect gateway and GlobalProtect portal features. (Note: These features are disabled by default in RUGGEDCOM APE1808 deployments, reducing immediate risk if unchanged.)
2. **Threat Prevention Subscription:** Customers with an active Threat Prevention subscription can block attacks utilizing Threat IDs **95187, 95189, and 95191**. These IDs are effective with Applications and Threats content version **8836-8695 and later**.
## Detection
- Detection mechanisms should focus on IDS/IPS signatures corresponding to Threat IDs 95187, 95189, and 95191 if the Threat Prevention subscription is active and content is updated.
- Monitor firewall logs for unusual command execution attempts associated with the GlobalProtect service, although specific IOCs are not detailed in this summary.
## References
- Vendor Advisories:
- Palo Alto Networks Upstream Advisory: hXXps://security.paloaltonetworks.com/CVE-2024-3400
- Siemens Advisory SSA-750274: hXXps://cert-portal.siemens.com/productcert/html/ssa-750274.html
- General Security Guidelines: Siemens operational guidelines for Industrial Security are recommended.