Zero Trust Soldier

Cybersecurity is complex. Let's see if we can make it more understandable

CVE-2024-3400 made “harmless”

CVSS 10 is bad, for everyone, customers, and vendors. But like the Log4J vulnerability Log4Shell, which also had CVSS 10, the new Palo Alto Networks vulnerability can be less dangerous if customers do their proactive security job. Check advice 3 and 4. Advice 4 is the most important task when it comes to mitigating the chain. Think Kill Chain.

Updated June 3rd 2024 with */favicon.ico

Updated June 4th 2024 with additional /saml/ URIs

Before upgrade, export Tech Support File and run the grep command shown in the security article! It’s worthless for identification after upgrade!

Advice #1. Patch

Here’s the article from Palo Alto Networks explaining what to do, with what versions are vulnerable and which include the fix.

Assume compromise and verify the command in the article. If you find something suspicious, send the Tech Support File to your Palo Alto Networks support center for further investigation.

Advice #2. Vulnerability signature protection

Palo Alto Networks has released several signatures for protection against abuse described in the above article. These will be automatically updated, and will have effect if the configuration is best practice, with Vulnerability Protection on the rule allowing GlobalProtect, with action reset-server or reset-both for critical severity.

Advice #3. Proactive inbound security

Always whitelist with Least Privilege policy inbound. This will reduce the attack surface and risk.

Policy 1

  • Source region
  • Destination IP

App-ID:

  • panos-global-protect
  • ssl
  • web-browsing

Application-default

With custom URL category match on these URIs (please tell if anyone are missing):

*/favicon.ico
*/global-protect/getconfig.esp
*/global-protect/prelogin.esp
*/global-protect/getmsi.esp
*/global-protect/getconfig_csc.esp
*/global-protect/getsoftwarepage.esp
*/global-protect/login.esp
*/global-protect/portal/images/favicon.ico
*/global-protect/portal/css/.css
*/global-protect/portal/js/.js
*/global-protect/portal/images/.png
*/global-protect/portal/images/.svg
*/global-protect/msi/.msi
*/ssl-vpn/hipreportcheck.esp
*/ssl-vpn/hipreport.esp
*/ssl-vpn/agentmessage.esp
*/ssl-vpn/login.esp
*/ssl-vpn/prelogin.esp
*/ssl-vpn/getconfig.esp
*/ssl-vpn/logout.esp
*/saml/css/*.css
*/saml/js/*.js
*/saml/images/*.png
*/saml/images/*.svg
*/SAML20/SP/ACS
*/ssl-tunnel-connect.sslvpn

This URL list was last updated April 19th 2024, 09:30 AM CET, and is installed on several customers for testing. Please inform if something is missing.

Here’s the set command for creation:

set profiles custom-url-category “GlobalProtect URLs” list [ gp.customer.com/ gw.customer.com/ */ssl-vpn/hipreportcheck.esp */ssl-vpn/hipreport.esp */ssl-vpn/agentmessage.esp */ssl-vpn/login.esp */ssl-vpn/prelogin.esp */ssl-vpn/getconfig.esp */ssl-vpn/logout.esp */global-protect/getconfig.esp */global-protect/prelogin.esp */global-protect/getmsi.esp */global-protect/getconfig_csc.esp */global-protect/getsoftwarepage.esp */global-protect/login.esp */favicon.ico */global-protect/portal/images/favicon.ico */global-protect/portal/css/*.css */global-protect/portal/js/*.js /global-protect/portal/images/*.png */global-protect/portal/images/*.svg */global-protect/msi/*.msi */ssl-tunnel-connect.sslvpn */SAML20/SP/ACS */saml/js/*.js */saml/css/*.css */saml/images/*.svg */saml/images/*.png ]

set profiles custom-url-category “GlobalProtect URLs” type “URL List”

set rulebase security rules “GlobalProtect with URLs” source [ DK NO SE ]
set rulebase security rules “GlobalProtect with URLs” destination IP_or_FQDN_of_GP_Services
set rulebase security rules “GlobalProtect with URLs” from Internet
set rulebase security rules “GlobalProtect with URLs” to Internet
set rulebase security rules “GlobalProtect with URLs” source-user any
set rulebase security rules “GlobalProtect with URLs” category “GlobalProtect URLs”
set rulebase security rules “GlobalProtect with URLs” application [ panos-global-protect ssl web-browsing ]
set rulebase security rules “GlobalProtect with URLs service https
set rulebase security rules “GlobalProtect with URLs” action allow
set rulebase security rules “GlobalProtect with URLs” tag [ GlobalProtect “Policy OK” ]
set rulebase security rules “GlobalProtect with URLs” rule-type intrazone
set rulebase security rules “GlobalProtect with URLs” profile-setting group Inbound
set rulebase security rules “GlobalProtect with URLs” group-tag “Internet to Internet”
set rulebase security rules “GlobalProtect with URLs” source-hip any
set rulebase security rules “GlobalProtect with URLs” destination-hip any
set rulebase security rules “GlobalProtect with URLs” log-setting default

Policy 2

  • Source region
  • Destination IP

App-ID:

  • ipsec-esp
  • ipsec-esp-udp

set rulebase security rules “GlobalProtect ipsec” source [ DK NO SE ]
set rulebase security rules “GlobalProtect ipsec” destination IP_or_FQDN_of_GP_Services
set rulebase security rules “GlobalProtect ipsec” from Internet
set rulebase security rules “GlobalProtect ipsec” to Internet
set rulebase security rules “GlobalProtect ipsec” source-user any
set rulebase security rules “GlobalProtect ipsec” category any
set rulebase security rules “GlobalProtect ipsec” application [ ipsec-esp ipsec-esp-udp ]
set rulebase security rules “GlobalProtect ipsec” service application-default
set rulebase security rules “GlobalProtect ipsec” action allow
set rulebase security rules “GlobalProtect ipsec” tag [ GlobalProtect “Policy OK” ]
set rulebase security rules “GlobalProtect ipsec” rule-type intrazone
set rulebase security rules “GlobalProtect ipsec” profile-setting group Inbound
set rulebase security rules “GlobalProtect ipsec” group-tag “Internet to Internet”
set rulebase security rules “GlobalProtect ipsec” source-hip any
set rulebase security rules “GlobalProtect ipsec” destination-hip any
set rulebase security rules “GlobalProtect ipsec” log-setting default

Advice #4, Proactive outbound security

Reading the Unit 42 article shows what outbound traffic are being seen, and therefore the importance of outbound whitelisting.

Always whitelist with Least Privilege policy outbound from the firewall. The firewall only need a limited set of communication, and this setup will reduce the chance for the criminals to download their scripts and code.

Add an outbound policy for the firewall with this Application Filter:

set application-filter “Palo_Alto_Networks_App-ID_Filter” tagging tag “[Palo Alto Networks]”

Create a rule for allowing communication with Palo Alto Networks services:

set rulebase security rules “Allow-Palo Alto Networks Services” to Internet
set rulebase security rules “Allow-Palo Alto Networks Services” from Management
set rulebase security rules “Allow-Palo Alto Networks Services” source Firewall_Management_IPs_or_FQDNs
set rulebase security rules “Allow-Palo Alto Networks Services” destination any
set rulebase security rules “Allow-Palo Alto Networks Services” source-user any
set rulebase security rules “Allow-Palo Alto Networks Services” category any
set rulebase security rules “Allow-Palo Alto Networks Services” application Palo_Alto_Networks_App-ID_Filter
set rulebase security rules “Allow-Palo Alto Networks Services” service application-default
set rulebase security rules “Allow-Palo Alto Networks Services” tag [ “Policy OK” ]
set rulebase security rules “Allow-Palo Alto Networks Services” action allow
set rulebase security rules “Allow-Palo Alto Networks Services” group-tag “Management to Internet”
set rulebase security rules “Allow-Palo Alto Networks Services” disabled no
set rulebase security rules “Allow-Palo Alto Networks Services” source-hip any
set rulebase security rules “Allow-Palo Alto Networks Services” profile-setting group Outbound
set rulebase security rules “Allow-Palo Alto Networks Services” destination-hip any
set rulebase security rules “Allow-Palo Alto Networks Services” log-setting default
set rulebase security rules “Allow-Palo Alto Networks Services” rule-type interzone

Add an outbound policy for the firewall with this Application Filter:

set application-filter “Software_Update_App-ID_Filter” subcategory software-update

Create a rule allowing software updates:

set rulebase security rules “Allow-Software Updates” to Internet
set rulebase security rules “Allow-Software Updates” from Management
set rulebase security rules “Allow-Software Updates” source any
set rulebase security rules “Allow-Software Updates” destination any
set rulebase security rules “Allow-Software Updates” source-user any
set rulebase security rules “Allow-Software Updates” category any
set rulebase security rules “Allow-Software Updates” application Software_Update_App-ID_Filter
set rulebase security rules “Allow-Software Updates” service application-default
set rulebase security rules “Allow-Software Updates” tag [ “Policy OK” ]
set rulebase security rules “Allow-Software Updates” action allow
set rulebase security rules “Allow-Software Updates” group-tag “Management to Internet”
set rulebase security rules “Allow-Software Updates” disabled no
set rulebase security rules “Allow-Software Updates” source-hip any
set rulebase security rules “Allow-Software Updates” profile-setting group Outbound
set rulebase security rules “Allow-Software Updates” destination-hip any
set rulebase security rules “Allow-Software Updates” log-setting default
set rulebase security rules “Allow-Software Updates” rule-type interzone

Add an outbound policy for the firewall with App-ID ssl and custom URL category for *.paloaltonetworks.com.

set profiles custom-url-category paloaltonetworks.com list *.paloaltonetworks.com
set profiles custom-url-category paloaltonetworks.com type “URL List”

set rulebase security rules “Allow-Palo Alto Networks ssl URL” to Internet
set rulebase security rules “Allow-Palo Alto Networks ssl URL” from Management
set rulebase security rules “Allow-Palo Alto Networks ssl URL” source Firewall_Management_IPs_or_FQDNs
set rulebase security rules “Allow-Palo Alto Networks ssl URL” destination any
set rulebase security rules “Allow-Palo Alto Networks ssl URL” source-user any
set rulebase security rules “Allow-Palo Alto Networks ssl URL” category paloaltonetworks.com
set rulebase security rules “Allow-Palo Alto Networks ssl URL” application ssl
set rulebase security rules “Allow-Palo Alto Networks ssl URL” service application-default
set rulebase security rules “Allow-Palo Alto Networks ssl URL” tag [ “Policy OK” ]
set rulebase security rules “Allow-Palo Alto Networks ssl URL” action allow
set rulebase security rules “Allow-Palo Alto Networks ssl URL” group-tag “Management to Internet”
set rulebase security rules “Allow-Palo Alto Networks ssl URL” disabled no
set rulebase security rules “Allow-Palo Alto Networks ssl URL” source-hip any
set rulebase security rules “Allow-Palo Alto Networks ssl URL” profile-setting group Outbound
set rulebase security rules “Allow-Palo Alto Networks ssl URL” destination-hip any
set rulebase security rules “Allow-Palo Alto Networks ssl URL” log-setting default
set rulebase security rules “Allow-Palo Alto Networks ssl URL” rule-type interzone

Add an outbound policy for the firewall with App-ID google-base and custom URL category for storage.googleapis.com

set profiles custom-url-category storage.googleapis.com list storage.googleapis.com/
set profiles custom-url-category storage.googleapis.com type “URL List”

set rulebase security rules “Allow-Palo Alto Networks google-base” to Internet
set rulebase security rules “Allow-Palo Alto Networks google-base” from Management
set rulebase security rules “Allow-Palo Alto Networks google-base” source Firewall_Management_IPs_or_FQDNs
set rulebase security rules “Allow-Palo Alto Networks google-base” destination any
set rulebase security rules “Allow-Palo Alto Networks google-base” source-user any
set rulebase security rules “Allow-Palo Alto Networks google-base” category storage.googleapis.com
set rulebase security rules “Allow-Palo Alto Networks google-base” application google-base
set rulebase security rules “Allow-Palo Alto Networks google-base” service application-default
set rulebase security rules “Allow-Palo Alto Networks google-base” tag [ “Policy OK” ]
set rulebase security rules “Allow-Palo Alto Networks google-base” action allow
set rulebase security rules “Allow-Palo Alto Networks google-base” group-tag “Management to Internet”
set rulebase security rules “Allow-Palo Alto Networks google-base” disabled no
set rulebase security rules “Allow-Palo Alto Networks google-base” source-hip any
set rulebase security rules “Allow-Palo Alto Networks google-base” profile-setting group Outbound
set rulebase security rules “Allow-Palo Alto Networks google-base” destination-hip any
set rulebase security rules “Allow-Palo Alto Networks google-base” log-setting default
set rulebase security rules “Allow-Palo Alto Networks google-base” rule-type interzone

Add an outbound policy for the firewall with App-ID ocsp, dns-base, ntp-base, smtp and more if needed for the configuration.

Depending on the setup, you might also need ldap towards services like Jumpcloud if that’s used, and web-browsing/ssl towards EDL services.

With a done setup, you should be done, and the default deny rule at the bottom should stop everything else, but most likely there still is an allow rule, so let’s create a deny rule for everything else for the firewalls so that this has effect:

set rulebase security rules “Deny-Palo Alto Networks Outbound” to Internet
set rulebase security rules “Deny-Palo Alto Networks Outbound” from Management
set rulebase security rules “Deny-Palo Alto Networks Outbound” source IF_NK-FW-VM1_MGMT
set rulebase security rules “Deny-Palo Alto Networks Outbound” destination any
set rulebase security rules “Deny-Palo Alto Networks Outbound” source-user any
set rulebase security rules “Deny-Palo Alto Networks Outbound” category any
set rulebase security rules “Deny-Palo Alto Networks Outbound” application any
set rulebase security rules “Deny-Palo Alto Networks Outbound” service any
set rulebase security rules “Deny-Palo Alto Networks Outbound” tag [ “Policy OK” Deny ]
set rulebase security rules “Deny-Palo Alto Networks Outbound” action deny
set rulebase security rules “Deny-Palo Alto Networks Outbound” group-tag “Management to Internet”
set rulebase security rules “Deny-Palo Alto Networks Outbound” disabled no
set rulebase security rules “Deny-Palo Alto Networks Outbound” source-hip any
set rulebase security rules “Deny-Palo Alto Networks Outbound” profile-setting group Outbound
set rulebase security rules “Deny-Palo Alto Networks Outbound” destination-hip any
set rulebase security rules “Deny-Palo Alto Networks Outbound” log-setting default
set rulebase security rules “Deny-Palo Alto Networks Outbound” rule-type interzone

And that’s it. With this setup the firewall can do its job and updates, and criminals can’t download their content.

, , , , ,

Posted by:

Gøran Tømte

5 responses to “CVE-2024-3400 made “harmless””

  1. Kim Hansen Avatar
    Kim Hansen

    Hei Gøran,
    Du mangler følgende kritiske URL:
    /global-protect/getconfig_csc.esp

    Reply
    1. Gøran Tømte Avatar
      Gøran Tømte

      Takker Kim. Legger den til. Jeg så igjennom loggene for diverse kunder og fant den ikke der.

      Reply
  2. Camilo Castaño Avatar
    Camilo Castaño

    Hi Goran, why the outbound policy for google services ?

    Reply
    1. Gøran Tømte Avatar
      Gøran Tømte

      Hi. You have to ask Palo Alto Networks 😀 It communicates with storage.googleapis.com. Palo Alto Networks and Google are “friends”, and do several things together. I’m not sure what’s sent there. Not sure if it has anything to do with telemetry.

      Reply
  3. Palo Alto Networks NGFW utgående hvitelisting, VG testen – Zero Trust Soldier

    […] Det kommer dessverre stadig sårbarheter i softwaren til brannmuren, flere av dem i GlobalProtect modulen. Å innføre gode Least Privilege regler som vist her er smart, viktig og veldig effektivt: CVE-2024-3400 made “harmless” […]

    Reply

Leave a Reply to Camilo CastañoCancel reply

Discover more from Zero Trust Soldier

Subscribe now to keep reading and get access to the full archive.

Continue reading