CVE-2024-3400

Palo Alto Networks PAN-OS Command Injection Vulnerability

Severity Score

10.0

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

Yes

*KEV

Decision

Act

*SSVC

Descriptions

A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.

Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.

Una vulnerabilidad de inyección de comandos en la función GlobalProtect del software PAN-OS de Palo Alto Networks para versiones específicas de PAN-OS y configuraciones de funciones distintas puede permitir que un atacante no autenticado ejecute código arbitrario con privilegios de root en el firewall. Cloud NGFW, dispositivos Panorama y Prisma Access no se ven afectados por esta vulnerabilidad.

Palo Alto Networks PAN-OS GlobalProtect feature contains a command injection vulnerability that allows an unauthenticated attacker to execute commands with root privileges on the firewall.

*Credits: Palo Alto Networks thanks Volexity for detecting and identifying this issue., Capability Development Group at Bishop Fox for helping us verify the fixes and improve threat prevention signatures.

CVSS Scores

NISTv3.1 10.0

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:Act

Exploitation

Active

Automatable

Yes

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2024-04-05 CVE Reserved
2024-04-12 CVE Published
2024-04-12 Exploited in Wild
2024-04-12 First Exploit
2024-04-19 KEV Due Date
2024-08-01 CVE Updated
2024-09-15 EPSS Updated

CWE

CWE-20: Improper Input Validation
CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')

CAPEC

CAPEC-248: Command Injection

References (39)

URL	Tag	Source
https://attackerkb.com/topics/SSTk336Tmf/cve-2024-3400/rapid7-analysis

URL	Date	SRC
https://github.com/W01fh4cker/CVE-2024-3400-RCE	2024-04-17
https://github.com/h4x0r-dz/CVE-2024-3400	2024-04-17
https://www.exploit-db.com/exploits/51996	2024-04-21
https://github.com/ak1t4/CVE-2024-3400	2024-04-17
https://github.com/marconesler/CVE-2024-3400	2024-04-27
https://github.com/swaybs/CVE-2024-3400	2024-04-18
https://github.com/Kr0ff/cve-2024-3400	2024-04-21
https://github.com/0x0d3ad/CVE-2024-3400	2024-04-18
https://github.com/W01fh4cker/CVE-2024-3400-RCE-Scan	2024-04-22
https://github.com/Yuvvi01/CVE-2024-3400	2024-04-13
https://github.com/momika233/CVE-2024-3400	2024-04-14
https://github.com/ihebski/CVE-2024-3400	2024-04-17
https://github.com/Chocapikk/CVE-2024-3400	2024-04-17
https://github.com/AdaniKamal/CVE-2024-3400	2024-08-25
https://github.com/0xr2r/CVE-2024-3400-Palo-Alto-OS-Command-Injection	2024-04-25
https://github.com/zam89/CVE-2024-3400-pot	2024-05-26
https://github.com/schooldropout1337/CVE-2024-3400	2024-04-22
https://github.com/ZephrFish/CVE-2024-3400-Canary	2024-04-17
https://github.com/CerTusHack/CVE-2024-3400-PoC	2024-04-13
https://github.com/hahasagined/CVE-2024-3400	2024-04-18
https://github.com/codeblueprint/CVE-2024-3400	2024-04-19
https://github.com/LoanVitor/CVE-2024-3400-	2024-04-16
https://github.com/FoxyProxys/CVE-2024-3400	2024-04-16
https://github.com/retkoussa/CVE-2024-3400	2024-04-17
https://github.com/MrR0b0t19/CVE-2024-3400	2024-04-14
https://github.com/Ravaan21/CVE-2024-3400	2024-04-18
https://github.com/pwnj0hn/CVE-2024-3400	2024-04-19
https://github.com/andrelia-hacks/CVE-2024-3400	2024-05-12
https://github.com/sxyrxyy/CVE-2024-3400-Check	2024-04-18
https://github.com/CONDITIONBLACK/CVE-2024-3400-POC	2024-04-16
https://github.com/index2014/CVE-2024-3400-Checker	2024-04-17
https://github.com/terminalJunki3/CVE-2024-3400-Checker	2024-04-25
https://github.com/MurrayR0123/CVE-2024-3400-Compromise-Checker	2024-04-26
https://unit42.paloaltonetworks.com/cve-2024-3400	2024-08-01
https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400	2024-08-01
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/panos_telemetry_cmd_exec.rb	2024-04-12

URL	Date	SRC

URL	Date	SRC
https://security.paloaltonetworks.com/CVE-2024-3400	2024-04-12
https://www.paloaltonetworks.com/blog/2024/04/more-on-the-pan-os-cve	2024-05-29

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				10.2.0 Search vendor "Paloaltonetworks" for product "Pan-os" and version "10.2.0"		-		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				10.2.0 Search vendor "Paloaltonetworks" for product "Pan-os" and version "10.2.0"		h1		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				10.2.0 Search vendor "Paloaltonetworks" for product "Pan-os" and version "10.2.0"		h2		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				10.2.0 Search vendor "Paloaltonetworks" for product "Pan-os" and version "10.2.0"		h3		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				10.2.1 Search vendor "Paloaltonetworks" for product "Pan-os" and version "10.2.1"		-		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				10.2.1 Search vendor "Paloaltonetworks" for product "Pan-os" and version "10.2.1"		h1		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				10.2.1 Search vendor "Paloaltonetworks" for product "Pan-os" and version "10.2.1"		h2		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				10.2.2 Search vendor "Paloaltonetworks" for product "Pan-os" and version "10.2.2"		-		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				10.2.2 Search vendor "Paloaltonetworks" for product "Pan-os" and version "10.2.2"		h1		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				10.2.2 Search vendor "Paloaltonetworks" for product "Pan-os" and version "10.2.2"		h2		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				10.2.2 Search vendor "Paloaltonetworks" for product "Pan-os" and version "10.2.2"		h4		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				10.2.2 Search vendor "Paloaltonetworks" for product "Pan-os" and version "10.2.2"		h5		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				10.2.3 Search vendor "Paloaltonetworks" for product "Pan-os" and version "10.2.3"		-		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				10.2.3 Search vendor "Paloaltonetworks" for product "Pan-os" and version "10.2.3"		h11		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				10.2.3 Search vendor "Paloaltonetworks" for product "Pan-os" and version "10.2.3"		h12		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				10.2.3 Search vendor "Paloaltonetworks" for product "Pan-os" and version "10.2.3"		h13		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				10.2.3 Search vendor "Paloaltonetworks" for product "Pan-os" and version "10.2.3"		h2		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				10.2.3 Search vendor "Paloaltonetworks" for product "Pan-os" and version "10.2.3"		h4		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				10.2.3 Search vendor "Paloaltonetworks" for product "Pan-os" and version "10.2.3"		h9		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				10.2.4 Search vendor "Paloaltonetworks" for product "Pan-os" and version "10.2.4"		-		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				10.2.4 Search vendor "Paloaltonetworks" for product "Pan-os" and version "10.2.4"		h10		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				10.2.4 Search vendor "Paloaltonetworks" for product "Pan-os" and version "10.2.4"		h16		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				10.2.4 Search vendor "Paloaltonetworks" for product "Pan-os" and version "10.2.4"		h2		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				10.2.4 Search vendor "Paloaltonetworks" for product "Pan-os" and version "10.2.4"		h3		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				10.2.4 Search vendor "Paloaltonetworks" for product "Pan-os" and version "10.2.4"		h4		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				10.2.5 Search vendor "Paloaltonetworks" for product "Pan-os" and version "10.2.5"		-		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				10.2.5 Search vendor "Paloaltonetworks" for product "Pan-os" and version "10.2.5"		h1		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				10.2.5 Search vendor "Paloaltonetworks" for product "Pan-os" and version "10.2.5"		h4		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				10.2.5 Search vendor "Paloaltonetworks" for product "Pan-os" and version "10.2.5"		h6		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				10.2.6 Search vendor "Paloaltonetworks" for product "Pan-os" and version "10.2.6"		-		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				10.2.6 Search vendor "Paloaltonetworks" for product "Pan-os" and version "10.2.6"		h1		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				10.2.6 Search vendor "Paloaltonetworks" for product "Pan-os" and version "10.2.6"		h3		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				10.2.7 Search vendor "Paloaltonetworks" for product "Pan-os" and version "10.2.7"		-		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				10.2.7 Search vendor "Paloaltonetworks" for product "Pan-os" and version "10.2.7"		h1		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				10.2.7 Search vendor "Paloaltonetworks" for product "Pan-os" and version "10.2.7"		h3		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				10.2.7 Search vendor "Paloaltonetworks" for product "Pan-os" and version "10.2.7"		h6		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				10.2.7 Search vendor "Paloaltonetworks" for product "Pan-os" and version "10.2.7"		h8		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				10.2.8 Search vendor "Paloaltonetworks" for product "Pan-os" and version "10.2.8"		-		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				10.2.8 Search vendor "Paloaltonetworks" for product "Pan-os" and version "10.2.8"		h3		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				10.2.9 Search vendor "Paloaltonetworks" for product "Pan-os" and version "10.2.9"		-		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				10.2.9 Search vendor "Paloaltonetworks" for product "Pan-os" and version "10.2.9"		h1		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				11.0.0 Search vendor "Paloaltonetworks" for product "Pan-os" and version "11.0.0"		-		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				11.0.0 Search vendor "Paloaltonetworks" for product "Pan-os" and version "11.0.0"		h1		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				11.0.0 Search vendor "Paloaltonetworks" for product "Pan-os" and version "11.0.0"		h2		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				11.0.0 Search vendor "Paloaltonetworks" for product "Pan-os" and version "11.0.0"		h3		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				11.0.1 Search vendor "Paloaltonetworks" for product "Pan-os" and version "11.0.1"		-		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				11.0.1 Search vendor "Paloaltonetworks" for product "Pan-os" and version "11.0.1"		h2		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				11.0.1 Search vendor "Paloaltonetworks" for product "Pan-os" and version "11.0.1"		h3		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				11.0.1 Search vendor "Paloaltonetworks" for product "Pan-os" and version "11.0.1"		h4		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				11.0.2 Search vendor "Paloaltonetworks" for product "Pan-os" and version "11.0.2"		-		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				11.0.2 Search vendor "Paloaltonetworks" for product "Pan-os" and version "11.0.2"		h1		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				11.0.2 Search vendor "Paloaltonetworks" for product "Pan-os" and version "11.0.2"		h2		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				11.0.2 Search vendor "Paloaltonetworks" for product "Pan-os" and version "11.0.2"		h3		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				11.0.2 Search vendor "Paloaltonetworks" for product "Pan-os" and version "11.0.2"		h4		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				11.0.3 Search vendor "Paloaltonetworks" for product "Pan-os" and version "11.0.3"		-		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				11.0.3 Search vendor "Paloaltonetworks" for product "Pan-os" and version "11.0.3"		h1		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				11.0.3 Search vendor "Paloaltonetworks" for product "Pan-os" and version "11.0.3"		h10		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				11.0.3 Search vendor "Paloaltonetworks" for product "Pan-os" and version "11.0.3"		h3		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				11.0.3 Search vendor "Paloaltonetworks" for product "Pan-os" and version "11.0.3"		h5		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				11.0.4 Search vendor "Paloaltonetworks" for product "Pan-os" and version "11.0.4"		-		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				11.0.4 Search vendor "Paloaltonetworks" for product "Pan-os" and version "11.0.4"		h1		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				11.1.0 Search vendor "Paloaltonetworks" for product "Pan-os" and version "11.1.0"		-		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				11.1.0 Search vendor "Paloaltonetworks" for product "Pan-os" and version "11.1.0"		h1		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				11.1.0 Search vendor "Paloaltonetworks" for product "Pan-os" and version "11.1.0"		h2		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				11.1.0 Search vendor "Paloaltonetworks" for product "Pan-os" and version "11.1.0"		h3		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				11.1.1 Search vendor "Paloaltonetworks" for product "Pan-os" and version "11.1.1"		-		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				11.1.1 Search vendor "Paloaltonetworks" for product "Pan-os" and version "11.1.1"		h1		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				11.1.2 Search vendor "Paloaltonetworks" for product "Pan-os" and version "11.1.2"		-		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				11.1.2 Search vendor "Paloaltonetworks" for product "Pan-os" and version "11.1.2"		h1		Affected
Paloaltonetworks Search vendor "Paloaltonetworks"		Pan-os Search vendor "Paloaltonetworks" for product "Pan-os"				11.1.2 Search vendor "Paloaltonetworks" for product "Pan-os" and version "11.1.2"		h3		Affected