How to find Palo Alto Network firewalls running PAN-OS 11.1, 11.0, and 10.2


Latest Palo Alto Networks vulnerability #

Palo Alto Networks (PAN) disclosed that certain versions of their PAN-OS software has a vulnerability that allows for remote command injection.

CVE-2024-3400 is rated critical with CVSS score of 9.8 and indicates an unauthenticated attacker can execute arbitrary code with root privileges on the firewall. The vendor indicates that there is evidence of limited exploitation in the wild.

watchTowr has posted a detailed analysis including the details needed for exploitation. This analysis covers two separate vulnerabilities; an arbitrary file creation vulnerability in the session handler, and a shell metacharacter injection issue that leads to remote execution through the telemetry script. PAN has updated their guidance to state that "Disabling device telemetry is no longer an effective mitigation".

What is the impact? #

The following PAN-OS versions are affected by this vulnerability.




PAN-OS 11.1

< 11.1.2-h3

>= 11.1.2-h3 (hotfix ETA: By 4/14)

PAN-OS 11.0

< 11.0.4-h1

>= 11.0.4-h1 (hotfix ETA: By 4/14)

PAN-OS 10.2

< 10.2.9-h1

>= 10.2.9-h1 (hotfix ETA: By 4/14)

Palo Alto Networks indicates that PAN-OS 11.1, 11.0, and 10.2 versions with the configurations for both GlobalProtect gateway and device telemetry enabled.

Customers may verify this by checking for entries in the firewall web interface (Network > GlobalProtect > Gateways) and verify whether device telemetry enabled by checking your firewall web interface (Device > Setup > Telemetry).

Are updates or workarounds available? #

Palo Alto Networks recommends that customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 95187 (introduced in Applications and Threats content version 8833-8682) and applying vulnerability protection to GlobalProtect interfaces.

It is also recommended that telemetry be disabled until devices can be upgraded to an unaffected version of PAN-OS.

How do I find potentially vulnerable systems with runZero? #

From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:


Written by Blain Smith

Blain Smith is a Security Research Engineer at runZero. He spent most of his career in cloud and distributed systems for AAA gaming, entertainment, and networking working on some of the most popular games and systems millions of people play and watch daily. He has given numerous talks conferences such as TEDx, GopherCon, and P99CONF. His shift into infosec has afforded him the ability to apply his distributed systems and networking knowledge to other industries such as IoT and OT.

More about Blain Smith
Subscribe Now

Get the latest news and expert insights delivered in your inbox.

Welcome to the club! Your subscription to our newsletter is successful.

Related Articles

Rapid Response
How to find CrushFTP services
CrushFTP disclosed that versions of their file transfer software have a vulnerability allowing unauthenticated file system access. Here's how to...
Rapid Response
How to find outdated lighttpd services
Outdated versions of the open source lighttpd web server are vulnerable to a handful of security vulnerabilities
Rapid Response
How to find D-Link NAS Storage devices
D-Link has disclosed multiple vulnerabilities in their D-Link NAS Storage products. Here's how to find potentially impacted devices.
Rapid Response
How to find Brocade Fabric OS
On April 4, 2024, Broadcom disclosed a vulnerability in their Fabric OS operating system used in their Brocade storage networking devices. Here's...

See Results in Minutes

Get complete visibility into IT, OT, & IoT — without agents, credentials, or hardware.

© Copyright 2024 runZero, Inc. All Rights Reserved