How can I see if my FW has already been exploited by the CVE-2024-3400?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

How can I see if my FW has already been exploited by the CVE-2024-3400?

L4 Transporter

Hello team

How can we determine if your device logs match the known indicators of compromise (IoC) for this vulnerability?

I have already fixed the vulnerability and I have the TSF of my device and I want to see if I have been exploited before applying the WK,

Can anyone help me?

Greetings.

6 REPLIES 6

L6 Presenter

I have not seen anything yet for IoC in the logs as the exploit package apparently deletes related log entries. If you are syslogging then you may be able to search for something in your external log repository. I suspect there is probably a CLI debug command to show the Python packages loaded, but you would probably have to ask PA support for that. I have been running a script from an external server all weekend, constantly querying and validating the GlobalProtect CSS file, to look for any sign of an installed package.

L4 Transporter

If you haven't seen it the command from the CLI that can give indicators is in the advisory here: https://security.paloaltonetworks.com/CVE-2024-3400

From the advisory though it states this isn't definitive just could indicate a thwarted attempt and not necessarily a breach. We've uploaded tech support logs to Palo and are waiting for their analysis.

L4 Transporter

Also when you say FIXED be aware that disabling telemetry is NOT enough now and Palo's Guidance has changed on this as of late yesterday (4/16).

Cyber Elite
Cyber Elite

Hello All,

Here is the best writeup I have seen so far.

https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execut...

 

Regards,

Cyber Elite
Cyber Elite

Cyber Elite
Cyber Elite
  • 1643 Views
  • 6 replies
  • 0 Likes
  • 101 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!