back to article Zero-day exploited right now in Palo Alto Networks' GlobalProtect gateways

Palo Alto Networks on Friday issued a critical alert for an under-attack vulnerability in the PAN-OS software used in its firewall-slash-VPN products. The command-injection flaw, with an unwelcome top CVSS severity score of 10 out of 10, may let an unauthenticated attacker execute remote code with root privileges on an …

  1. Anonymous Coward
    Anonymous Coward

    White Hat suddenly turns Black

    These folks aggressively scan the web including my lame website. They ignore the opt out. I block them 100%. Everywhere.

    I always figured something like this would happen. Seems the harder they cry "White Hat" the worse the inevitable hack and attack becomes.

    Let me guess: they are very concerned about this.

  2. HuBo
    Unhappy

    Hopefully this doesn't turn into an Ivanti-style nightmare.

  3. Paul Crawford Silver badge
    Facepalm

    temporarily disabling device telemetry until the device is upgraded to a fixed PAN-OS version

    Does this mean it is the telemetry service that is the attacker's route in?

    Those mitigations include applying a GlobalProtect-specific vulnerability protection

    So there is protection possible that is not on by default? And this claims to be a security appliance?

    1. phuzz Silver badge

      Does this mean it is the telemetry service that is the attacker's route in?

      There doesn't seem to be details yet, but it seems that way.

      So there is protection possible that is not on by default?

      It's a paid subscription server.

  4. sitta_europea Silver badge

    What the fuck's a "cloud firewall"?

    1. Paul Crawford Silver badge

      Rather porous it would appear...

    2. This post has been deleted by its author

  5. t245t Silver badge
    Mushroom

    Global non Protect gateways, shurly :o

    PAN‑OS® is the software that runs all Palo Alto Networks® next-generation firewalls. By leveraging the key technologies that are built into PAN‑OS natively—App‑ID, Content‑ID, Device-ID, and User‑ID—you can have complete visibility and control of the applications in use across all users and devices in all locations all the time.”

    “And, because inline ML and the application and threat signatures automatically reprogram your firewall with the latest intelligence, you can be assured that all traffic you allow is free of known and unknown threats.”

    --

    • Never begin a sentence with ‘And’

    • Never follow an ‘And’ with a comma

    1. yetanotheraoc Silver badge

      Re: Global non Protect gateways, shurly :o

      • Never begin a sentence with ‘And’

      • Never follow an ‘And’ with a comma

      • And, and, and and ... how do you feel about Oxford commas?

    2. tmTM

      Re: Never

      Never make a hard and fast rule about the English language, it will do it's upmost to find a way to prove you wrong.

  6. baz rowlingson

    As used in Universities...

    I think this is the firewall system used at the university I work for. Not that I use it, because to get it running on my home box requires downloading a Linux binary, and I'm not polluting my home machine with random binaries. Am now smugly justifying that decision...

    So instead I ssh -J through the one unix box on campus that's open to the world. Why do we even need these firewall appliances?

    1. t245t Silver badge
      Terminator

      Re: As used in Universities...

      > Why do we even need these firewall appliances?

      • To sell product ..

      • To make-up for defects in the underlying technology.

      • To provide the hackers with the one point of failure :)

  7. Mark 65

    Once upgraded, device telemetry should be re-enabled on the device.

    I'm no networking expert, but why? How important is the telemetry and what does it offer the user/client?

    Seems like it just expands the attack surface at present.

  8. Anonymous Coward
    Anonymous Coward

    Bit of an update for anyone following this CVE. The mitigation PA originally published was wrong (i.e. disabling telemetry).

    https://www.reddit.com/r/paloaltonetworks/comments/1c5rem7/cve20243400_advisory_updated_disabling_telemetry/

    and

    https://unit42.paloaltonetworks.com/cve-2024-3400/

    and

    https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like