Data breaches to Palo Alto GlobalProtect products – requires immediate action
Alert1/2024
A vulnerability (CVE-2024-3400) in a Palo Alto GlobalProtect product that is widely used in organisations is being actively exploited. The vulnerability has significant effects and requires updating and investigating the devices. Devices susceptible to the vulnerability should be suspected of being breached.
Palo Alto products are popular in Finland as well and several hundreds of network edge devices are vulnerable to the vulnerability that was announced on 12 April. The exploitation attempts of the vulnerability will continue and even increase in the coming days. The example codes connected to the vulnerability are shared on the internet and thus, available to attackers.
Palo Alto GlobalProtect Gateway, and GlobalProtect Portal that is used to manage the Gateway, are products which organisations use, for example, for safe VPN remote work solutions. Critical vulnerabilities in these products can offer easy access for an attacker because products like these are meant to enable access to an organisation’s network.
Organisations using these products must react to critical vulnerabilities and their correcting actions even faster than before. The exploitation of vulnerabilities in the case of Palo Alto has begun even before the corrective actions were announced or updates published. Exploitation attempts around the world have already started and initial data breaches have also been observed in Finland.
Significant changes to initial information
NCSC-FI published a vulnerability report of the Palo Alto critical vulnerability CVE-2024-3400 on 12 April 2024.The vulnerability initially applied only to the GlobalProtect Gateway product which is widely used in Finland as well for VPN solutions in organisations. This week the GlobalProtect Portal product was also reported to be vulnerable.
Initially Palo Alto reported that a small configuration change would mitigate the exploitation of the vulnerability. This is no longer true and several successful attacks have been observed in Finland as well. The evaluation of the effects and extent of the attacks has started in organisations. Organisations must update the vulnerable Palo Alto devices to the latest versions immediately and it is highly recommended to investigate the devices for possible data breaches. For example, the device log and files added to the device can indicate if the device has been breached.
Reporting observations
If you notice that your devices have been exploited, it is important to take action immediately. Make sure that the information on the device is not deleted and the device is not reinstalled. You can disconnect the device from the internet, but do not turn off the device. It is possible to obtain more detailed information from the manufacturer's bulletin for the technical investigation of the vulnerability.
Please send reports of vulnerability exploitation to us if there are any findings in your organisation. You can report your findings with the form on our website or by sending an email to cert@traficom.fi .
Target group of the alert
Finnish organisations that use Palo Alto GlobalProtect products. The vulnerability does not apply to end users or ordinary citizens.
NGFW firewalls in a cloud service are not vulnerable, but the vulnerability applies to other instances implemented and managed in a cloud service.
Possible solutions and restrictive measures
A successful data breach can be detected by monitoring the device's network traffic and looking for signs of known indicators of compromise (IoC), as well as checking the logs for suspicious entries.
In their advisory (External link) Palo Alto tells of indicators that indicate of the attempts of exploitation. Log entries where the message is failed to unmarshal session and which contain something other than the GUID string (e.g. ‘01234567-89ab-cdef-1234-567890abcdef’) indicate exploitation attempts. If you have detected exploitation attempts, we recommend that you assume that the vulnerability has been successfully exploited and the device has been compromised, although it may be possible to verify the success of the exploit in more detail on a case-by-case basis.
Customers can open a case on the Palo Alto customer support portal (CSP) and upload a technical support file (TSF) to the portal to check for signs of indicators of compromise (IoC) in the device logs.
More Information
- AttackerKB: Data security company Rapid7 has published comprehensive instructions for investigating devices (External link)
- WatchTowr Labs: Report on the operation of the vulnerability (External link) (External link)
- Palo Alto Networks: Palo Alto advisory (External link)
- NCSC-FI vulnerability bulletin 12/2024