In the wake of the discovery of a critical CVE (Common Vulnerabilities and Exposures), CVE-2024-3400, within Palo Alto Networks’ GlobalProtect feature of PAN-OS software, it’s become increasingly evident that enterprises must approach their infrastructure security with a cautious perspective.
While appliances designed to safeguard organizations can inadvertently serve as entry points for threat actors, employing red team strategies can fortify defenses by proactively identifying and addressing vulnerabilities before they are exploited.
What is CVE-2024-3400?
The recently disclosed CVE affects Gateways within GlobalProtect, Palo Alto’s trusted secure remote access solution. Utilizing GlobalProtect, remote users securely connect to internal resources on the WAN or external resources on the Internet via Palo Alto NGFWs serving as GlobalProtect Gateways.
Palo Alto warns that a critical vulnerability in its PAN-OS software enables threat actors to execute code on affected GlobalProtect gateways. Identified as CVE-2024-3400, this flaw carries the highest possible severity rating, a CVSS score of 10.0.
“A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall,” writes the company in a recently published advisory.
The advisory notes the affected version: PAN-OS versions earlier than 11.1.2-h3, 11.0.4-h1 and 10.2.9-h1.
Updates to address this issue are scheduled for release on April 14, 2024. The vulnerability only affects firewalls configured with the GlobalProtect gateway and device telemetry settings.
While specific details about the attacks and the identities of the perpetrators remain undisclosed, Palo Alto Networks has confirmed a few instances of attacks exploiting this vulnerability. The company recommends Threat Prevention subscribers activate Threat ID 95187 as a protective measure.
Reflecting on Recent Security Breaches
The disclosure of CVE-2024-3400 is part of a larger trend. In 2023, a total of 28,000 CVEs were identified, marking an increase from 25,081 in 2022. This past year has witnessed the disclosure and exploitation of multiple vulnerabilities within security infrastructure.
Back in March, the Google-owned threat intelligence group Mandiant identified how Chinese attackers were exploiting a zero-day flaw in Fortinet for espionage work. The vulnerability, CVE-2022-41328, concerned a path traversal bug in FortiOS that could lead to arbitrary code execution. Fortinet patched it on March 7, 2023.
Last December, Barracuda reported that Chinese threat actors exploited a zero-day in its Email Security Gateway (ESG) appliances, deploying backdoors on a “limited number” of devices. The vulnerability (CVE-2023-7102) is another case of arbitrary code execution, tapping a vulnerability in the open-source library, Spreadsheet:ParseExcel, that’s used to screen Microsoft Excel attachments for malware.
These instances underscore a concerning trend: security appliances and defenses are becoming targets for threat actors. Ensuring their enterprises are adequately protected requires security leaders to move beyond assuming security appliances and infrastructure are secured and taking a more active approach.
Red Team Tactics Call for Continuous Penetration Testing
In light of these circumstances, it’s imperative for enterprises to explore the adoption of red team strategies to fortify the effectiveness of their security infrastructure and to ensure the security of their security tools. At the forefront of these strategies lies the practice of continuous penetration testing.
Whereas traditional penetration testing simulates a one-time attack on infrastructure, continuous pen testing is an ongoing security assessment. What’s more, by using advanced AI, continuous pen testing probes systems in the same way an attacker would, identifying exploitable vulnerabilities that pose a real-world risk.
Horizon3.ai’s NodeZero, for example, enables organizations to discover what would happen next if an attacker gained a foothold in their networks. NodeZero highlights the attack paths an attacker could take to discover and exploit the unknown vulnerabilities and weaknesses in your networks that could lead to compromise, or even worse, ransomware. NodeZero safely attacks you, then explains how to fix the issues it discovers. Once you take action to remediate what NodeZero discovers, it allows you to verify your fix worked.
The revelation of vulnerabilities like CVE-2024-3400 reminds us that even within our security infrastructure we can’t take our security for granted. Enterprises must reassess and strengthen their cybersecurity frameworks continually to keep ahead of attackers. By doing so, they protect not just their operational assets but also the privacy and trust of their users.
If you have concerns about your current security setup or are considering adopting SASE, we can help. Contact us for a complimentary security assessment today at: Contact US.
