EXPEL BLOG

Security alert: Palo Alto Networks PAN-OS GlobalProtect Command Injection Vulnerability

· 1 MIN READ · AARON WALTON · APR 12, 2024 · TAGS: Alert / MDR / Vulnerability

Palo Alto Networks disclosed that attackers are exploiting a vulnerability in PAN-OS for GlobalProtect. Here’s what you need to know.

What happened?

On April 12, 2024, Palo Alto Networks disclosed that attackers are actively exploiting a vulnerability in some versions of PAN-OS for GlobalProtect. To be exploited, the vulnerability requires both the GlobalProtect gateway and device telemetry to be enabled. It impacts the following PAN-OS versions:

  • 10.2.x
  • 11.0.x
  • 11.1.x

Palo Alto Networks communicated that it is developing fixes for the vulnerable PAN-OS versions and expects to release them by April 14, 2024.

Why does it matter?

The vulnerability allows an attacker to execute code with root privileges on the firewall. It’s rated as critical because root privileges allow the attacker to do…anything. Access to the highest available privileges mean free rein for attackers. No patch is currently available and the ETA is two days away–so we recommend that orgs using these PAN-OS versions act quickly.

What should you do right now?

Based on Palo Alto’s guidance, here’s what you should do immediately:

  • Customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 95187 (introduced in Applications and Threats content version 8833-8682).
  • If you are unable to apply the Threat Prevention-based mitigation at this time, you can still mitigate the impact of this vulnerability by temporarily disabling device telemetry until the device is upgraded to a fixed PAN-OS version. Once upgraded, device telemetry should be re-enabled on the device. How to disable telemetry on PAN devices.

What next?

Expel is monitoring the situation closely and will continue to update our channels with any developments. Keep an eye out for updates here and Palo Alto Networks’ vulnerability notification page.