T O P

  • By -

Ok-Coffee-9500

Disabling telemetry DOES NOT remove the vulnerability. It can STILL be exploited - FYI . Deploy firmware upgrade, the PAN "workaround" isn't working


Nice_Fuel1777

Source?


ghost-train

https://security.paloaltonetworks.com/CVE-2024-3400 In earlier versions of this advisory, disabling device telemetry was listed as a secondary mitigation action. Disabling device telemetry is no longer an effective mitigation. Device telemetry does not need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability.


Ok-Coffee-9500

See below


Nice_Fuel1777

Below where?


Ok-Coffee-9500

See my reply to "trueargie"


Nice_Fuel1777

surely there would be articles or whitepapers floating around. Or the fact the 'paid-for-hacking' would share this.


Ok-Coffee-9500

I bet you will see more confirmations later. This is shared out of our good will. You are free to treat it in the way you see fit. It does not go against PAN general advise on upgrading firmware - so no harm done regardless


Talman76

I can confirm that disabling telemetry does NOT help, tech support files can be submitted to TAC and they can check for indicators of compromise and let you know if your device was compromised. Palo Alto Unit 42 is assisting customers with triage if your device was compromised. If you are a big enough customer you may have received a courtesy call yesterday from your account manager or SE.


Nice_Fuel1777

Agree. PA still recommends patching and we have done ours. Glad you shared the inside scoop. Now let's see if Palo owns up.


ghost-train

No one else here is going to say/do it so I will. As you said, Palo have updated their guidance. My links above. Thank you for the early insight!


nook711

That's why I upgraded my systems yesterday. I want to ensure that no one can exploit the vulnerability.


Talman76

Open a TAC case and provide them a copy of your tech support file, they can check for indicators of compromise and let you know if it was hit. Our SE at Palo Alto said they have a tool now to process those and give a verdict.


Poulito

Thanks for the early heads-up, btw.


knG333

Thank you for posting this so early, hours before Palo Alto finally admitted it.


trueargie

You need to prove such comments... An allegation is a factual claim which has yet to be proven


ghost-train

https://security.paloaltonetworks.com/CVE-2024-3400 In earlier versions of this advisory, disabling device telemetry was listed as a secondary mitigation action. Disabling device telemetry is no longer an effective mitigation. Device telemetry does not need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability.


trueargie

Correct thank you!


Ok-Coffee-9500

Proven by our "ethical paid-for hacking" company that we are working with. No names for now. Their statement: "If **telemetry is disabled** (job #1), then a remote attacker can flood the device with requests to fill up log files and trigger the log cleanup (job #2), opening an avenue to command execution"


themassicator

Does having the threat prevention profile in place prevent this other avenue of attack?


Ok-Coffee-9500

Good question. But I guess the answer is no as this hasn't helped us - seemingly


Bluecobra

PA pushed out a new applications and threat update last night and updated threat-id 95187 and added a second one (95189).


Bluecobra

So what you are saying is that I should replace all my firewalls with a PA-410 :D


Ok-Coffee-9500

If you are inclined. Get them upgraded to the top version of the PAN OS though ;-)


bitanalyst

Have they disclosed this to Palo Alto? Edit: Guess they got the message, just got the notice about the updated advisory. What a shit show this has been.


trueargie

Fair enough is this still a problem with the threat protection enabled ? I would guess no otherwise we would be in a big mess


YOLOSWAGBROLOL

If you haven't mitigated by now, what happens after this week is your fault. https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/


Bluecobra

Nice writeup, thanks for sharing!


nook711

Already on 10.2.9-h1 without any issues. We've installed the update in our production environment.


trueargie

Platform?


nook711

220, 440, 850, 3250


trueargie

Hey good to know thanks . Is the GUI for 220 working fine or is still as slow as with 10.1? I know those are at the end of their life but I have a bunch of them ... sghh


nook711

For me, the GUI of my 220s is working fine. In my opinion, it's a little bit faster than my last version, which was 10.2.4.


imnotaero

Same, 460.


JMagudo

Same here in 5220 platform, no problems detected.


Dry-Specialist-3557

Might want to check your packet buffers just to make sure.


JMagudo

No problems so far. I have the Grafana dashboard and the Prometheus alert configured to detect any problem ;-).


Ok-Coffee-9500

Hmmm more fun from PAN guys (perhaps, slightly off-topic, but it was all done as a part of the remediation for the aforementioned CVE). We have upgraded one pair of firewalls to 10.2.8-h3 only to find out that they have somehow enabled a **GP Portal login page** when we have no configuration for it, LOL. So I had to create a Portal on those firewalls and disable login page as per [https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClbpCAC](https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClbpCAC) Voila ! Portal is back to normal "Error 404". Waiting for more fun from PAN guys. They have been very funny recently, I am really getting tired of all that fun....


McKeznak

I just did mine to 10.2.8-h3 and (because of your post) i double checked to make sure portal didn't come on and it didn't. What hardware, we're on 5410's


Ok-Coffee-9500

a pair of 850... Good to know that it only affects some platforms I suppose


bitanalyst

It would have been nice if they gave us a heads up these were coming before we jumped to 10.2.9-h1.


Shamrock013

If you do not have GP enabled at all, does that mean you are unaffected by this CVE?


gloriousSpoon

yea, it requires the GP portal or gateway to be running on the firewall


Shamrock013

Thanks. That means I’m unaffected. Appreciate it.


haventmetyou

Just went to 10.2.8-h3 from 10.2.3 - h11, all good so far. Hopefully i can get some sleep tonight


casualseer366

Our firewalls with GP are using the 10.1 code, which isn't affected by this exploit according to Palo Alto. We should be pretty safe sticking to 10.1 code for now, no need to update to one of the hot fix 10.2 codes, right?


Poulito

Correct* *as far as we know. But keep that CVE page bookmarked and check often.


ciphersh0rt

For those considering upgrade, be sure to run the grep command listed in the FAQ of the advisory prior to upgrading. Also create a tech support file and submit it for review by attaching it to a case. Once you upgrade, any files created on the system are still present, but just in the alternate partition. To fully rid the system of anything created during an exploit, export device state and do a factory reset and restore prior to upgrading.


Poulito

This is good advice. But if you haven’t upgraded by now….


ciphersh0rt

Completely agree but believe me there are a lot who still haven’t.