Potential CVE-2024-3400 Exploitation - Palo Alto GlobalProtect OS Command Injection - File Creation

    Tuesday, August 6, 2024 In: Threat Research Print

    Date: 08/06/2024

    Severity: Medium

    Summary

    Identifies suspicious file creations in the parent telemetry folder of Palo Alto Networks PAN-OS, which the vulnerable 'dt_curl' script processes if device telemetry is enabled. Since this script bypasses shell-subprocess restrictions, it could allow arbitrary command execution if filenames are meticulously crafted and escaped through this function.

    Indicators of Compromise (IOC) List

    TargetFilename

    {IFS}

    base64

    bash

    curl

    http

    /opt/panlogs/tmp/device_telemetry/

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    resourceName = "paloalto" AND rawmessages In ("{IFS}" , "base64" , "bash" , "curl" , "http" , "/opt/panlogs/tmp/device_telemetry/")

    Detection Query 2

    technologygroup = "EDR"  AND rawmessages In ("{IFS}" , "base64" , "bash" , "curl" , "http" , "/opt/panlogs/tmp/device_telemetry/")

    Category: Sigma

    Reference:

    https://github.com/SigmaHQ/sigma/blob/master/rules-emerging-threats/2024/Exploits/CVE-2024-3400/file_event_paloalto_globalprotect_exploit_cve_2024_3400_command_inject_file_creation.yml

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.