UPDATE: It has been confirmed that disabling telemetry will not block this exploit. Applying a patch as soon as possible is the most effective remediation for this vulnerability. Patches for 8 of the 18 vulnerable versions have been released; patches for the remaining vulnerable versions are expected by April 19th.

CrowdStrike is constantly working to protect our customers from the newest and most advanced cybersecurity threats. We are actively monitoring activity related to CVE-2024-3400, a critical command injection vulnerability in the GlobalProtect feature of Palo Alto Networks’ PAN-OS software affecting “specific PAN-OS versions and distinct feature configurations,” the vendor says.

This vulnerability, which has been given a CVSSv4.0 score of 10 by the vendor, has been observed being exploited in the wild. If exploited, CVE-2024-3400 could allow an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. At the time of writing, there is no patch available. Palo Alto Networks says a patch will be ready by April 14, 2024. 

Here, we explain how customers of the CrowdStrike Falcon® platform can assess their risk exposure to this vulnerability. Customers should also monitor the vendor’s website for up-to-date information on vulnerable product versions, mitigations and available patches.

Assessing Risk Exposure to CVE-2024-3400

When a new and actively exploited vulnerability is reported, one of the first actions security teams must take is determining their exposure to the issue. Understanding which of their internet-exposed assets could potentially be affected by the vulnerability is the first step to understanding exposure — and clear visibility into internet-facing devices is essential.

After identifying potentially vulnerable assets, the next step is to understand if the exposed assets have the required conditions for the vulnerability to be present. 

According to the vendor information, some of the most recent PAN-OS versions (listed below) are affected. An asset will be affected if the GlobalProtect gateways and device telemetry are enabled. If these features are not enabled, this vulnerability cannot be exploited.

Version	Vulnerable Version	Fixed Version	Estimated Patch Release Date
PAN-OS 11.1.2	Less than 11.1.2-h3	11.1.2-h3	04/14/2024
PAN-OS 11.1.1	Less than 11.1.1-h1	11.1.1-h1	04/16/2024
PAN-OS 11.1.0	Less than 11.1.0-h3	11.1.0-h3	04/16/2024
PAN-OS 11.0.4	Less than 11.0.04-h1	11.0.04-h1	04/14/2024
PAN-OS 11.0.3	Less than 11.0.03-h10	11.0.03-h1	04/16/2024
PAN-OS 11.0.2	Less than 11.0.02-h4	11.0.02-h4	04/16/2024
PAN-OS 11.0.1	Less than 11.0.01-h4	11.0.01-h4	04/17/2024
PAN-OS 11.0.0	Less than 11.0.00-h3	11.0.00-h3	04/18/2024
PAN-OS 10.2.9	Less than 10.2.9-h1	10.2.9-h1	04/14/2024
PAN-OS 10.2.8	Less than 10.2.8-h3	10.2.8-h3	04/15/2024
PAN-OS 10.2.7	Less than 10.2.7-h8	10.2.7-h8	04/15/2024
PAN-OS 10.2.6	Less than 10.2.6-h3	10.2.6-h3	04/16/2024
PAN-OS 10.2.5	Less than 10.2.5-h6	10.2.5-h6	04/16/2024
PAN-OS 10.2.4	Less than 10.2.4-h16	10.2.4-h16	04/19/2024
PAN-OS 10.2.3	Less than 10.2.3-h13	10.2.3-h13	04/17/2024
PAN-OS 10.2.2	Less than 10.2.2-h5	10.2.2-h5	04/18/2024
PAN-OS 10.2.1	Less than 10.2.1-h2	10.2.1-h2	04/17/2024
PAN-OS 10.2.0	Less than 10.2.0-h3	10.2.0-h3	04/18/2024

Table 1. PAN-OS versions vulnerable to CVE-2024-3400

CrowdStrike Falcon Exposure Management customers can quickly identify exposed PAN-OS assets in their environments by filtering directly from the external attack surface management capability. This will help customers quickly identify all of the potential exposures, thereby proactively reducing the impact of a potential exploitation.

Filter	Value	Expected Result
Banner	GlobalProtect	All devices that return a GlobalProtect Banner
Platform	PAN-OS	All devices that are on a PAN-OS platform

Table 2. Falcon Exposure Management query filters to detect CVE-2024-3400

NOTE: The two filters listed above should be used independently as using them in tandem will likely net 0 results.

As pictured below, Falcon Exposure Management customers can broaden their search for all Palo Alto Networks devices by selecting the platform “PAN-OS,” enabling them to locate firewalls running the vulnerable version of GlobalProtect.

How Many Assets Could Be Affected?

Customers of CrowdStrike Falcon® Counter Adversary Operations who would like to identify the total number of potentially vulnerable internet-exposed assets can navigate to “External attack surface explore” located in the “External monitoring” section of the Counter Adversary Operations menu. There, they can use some of the following filters to view other PAN-OS assets visible on the broader internet:

Query	Expected Result
attributes_raw contains (Phrase) ‘Palo Alto Networks PA-200 series’ or banners_raw contains (Phrase) ‘GlobalProtect Portal’	Returns any device whose attributes contain the phrase “Palo Alto Networks PA-200 series” or returns the phrase “GlobalProtect Portal” in the HTML banner
platform.name contains (Phrase) ‘Pan-os’	Returns any device with “PAN-OS”‘ in its platform name
‘cpe:/a:paloaltonetworks:pan-os’	Returns any device that is noted as having PAN-OS installed

Table 3. Queries for detecting possible vulnerable assets in “External attack surface explore,” an external monitoring feature in Counter Adversary Operations

Conclusion and Recommendations

Critical vulnerabilities, especially those actively exploited, pose a high risk to organizations. In order to mitigate the risk of exploitation, those affected by CVE-2024-3400 are advised to update vulnerable appliances with the vendor-supplied patch. Patches for 8 of the 18 vulnerable versions have been released, and patches for the remaining vulnerable versions are expected by April 19th. In addition, it is advised to increase monitoring of vulnerable appliances as well as non-vulnerable assets potentially accessible by the appliance.

Our product and internal security teams continue to actively monitor this dynamic and ongoing situation. CrowdStrike will continue to take additional steps, including mitigation and patching. As new information becomes available, we will publish updates as necessary. In tandem, we continue to develop and release new behavioral logic for the Falcon platform to detect and prevent malicious behavior related to CVE-2024-3400. 

Additional Resources

• See Falcon’s unrivaled protection in action in a short demo.
• Learn about our threat intelligence and hunting subscriptions.
• Experience how the industry-leading CrowdStrike Falcon® platform protects against modern threats. Start your 15-day free trial today.

Microsoft has released security updates for 150 vulnerabilities in its April 2024 Patch Tuesday rollout, a much larger amount than in recent months. There are three Critical remote code execution vulnerabilities (CVE-2024-21322, CVE-2024-21323 and CVE-2024-29053), all of which are related to Microsoft Defender for IoT, Microsoft’s security platform for IoT devices. 

April 2024 Risk Analysis

This month’s leading risk type is remote code execution (RCE), accounting for 44%, followed by elevation of privilege (21%) and security feature bypass (19%).

 

Windows products received the most patches this month with 91, followed by Extended Security Update (ESU) with 62 and SQL Server with 38. This represents a consistent uptick in vulnerabilities identified in Extended Support products. In order to ensure the security of endpoints, upgrade to a supported version or purchase Extended Support from the vendor.

Critical Remote Code Execution Vulnerabilities Affect Microsoft Defender for IoT  

CVE-2024-21323 is a Critical RCE vulnerability affecting Microsoft Defender for IoT and has a CVSS score of 8.8. Successful exploitation of this vulnerability would allow an attacker to send malicious update files to the Defender for IoT sensor, allowing the attacker to overwrite any file on the managed asset. This vulnerability requires the attacker to be authenticated into the IoT sensor with just enough permissions to begin the update process. Any IoT device with the Defender sensor deployed should be updated as soon as possible.

CVE-2024-29053 is another Critical RCE vulnerability that affects the Microsoft Defender for IoT platform and has a CVSS score of 8.8. Successful exploitation of this vulnerability could allow an unauthenticated attacker to upload malicious files to sensitive locations on the server appliance. Leveraging this vulnerability, the attacker could override any files including sensitive ones, thereby disrupting normal operation or inhibiting visibility into the IoT network.

CVE-2024-21322 is yet another Critical RCE vulnerability affecting Microsoft Defender for IoT and has a CVSS score of 7.2. Successful exploitation of this vulnerability would allow the attacker to send arbitrary commands to the managed device, possibly impeding normal functioning of the Defender for IoT monitoring software. This vulnerability requires the attacker to be an administrator of the management console of Defender for IoT on the web. Regular audits and validation of such accounts should be performed to limit risk. 

Severity	CVSS Score	CVE	Description
Critical	8.8	CVE-2024-21323	Microsoft Defender for IoT Remote Code Execution Vulnerability
Critical	8.8	CVE-2024-29053	Microsoft Defender for IoT Remote Code Execution Vulnerability
Critical	7.2	CVE-2024-21322	Microsoft Defender for IoT Remote Code Execution Vulnerability

Table 1. Critical vulnerabilities in Microsoft Defender for IoT

Not All Relevant Vulnerabilities Have Patches: Consider Mitigation Strategies

As we have learned with other notable vulnerabilities, such as Log4j, not every highly exploitable vulnerability can be easily patched. As is the case for the ProxyNotShell vulnerabilities, it’s critically important to develop a response plan for how to defend your environments when no patching protocol exists. 

Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at your organization’s methods for cybersecurity to improve your overall security posture. 

The CrowdStrike Falcon® platform regularly collects and analyzes trillions of endpoint events every day from millions of sensors deployed across 176 countries. Watch this demo to see the Falcon platform in action.

Learn More

Learn more about how CrowdStrike Falcon® Exposure Management can help you quickly and easily discover and prioritize vulnerabilities and other types of exposures here.

About CVSS Scores

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article. 

Additional Resources

• For more information on which products are in Microsoft’s Extended Security Updates program, refer to the vendor guidance here.
• Read the CrowdStrike 2024 Global Threat Report to learn how the threat landscape has shifted in the past year and understand the adversary behavior driving these shifts.
• See how Falcon Exposure Management can help you discover and manage vulnerabilities and other exposures in your environments. 
• Learn how CrowdStrike’s external attack surface module, CrowdStrike® Falcon Surface, can discover unknown, exposed and vulnerable internet-facing assets, enabling security teams to stop adversaries in their tracks.
• Learn how CrowdStrike Falcon® Identity Protection products can stop workforce identity threats faster. 
• Make prioritization painless and efficient. Watch how CrowdStrike Falcon® Spotlight enables IT staff to improve visibility with custom filters and team dashboards. 
• Test CrowdStrike next-gen antivirus for yourself with a free trial of CrowdStrike® Falcon Prevent.

Microsoft has released security updates for 60 vulnerabilities in its March 2024 Patch Tuesday rollout. There are two Critical vulnerabilities patched (CVE-2024-21407 and CVE-2024-21408), both of which affect the Hyper-V hypervisor.

March 2024 Risk Analysis

This month’s leading risk type is elevation of privilege (40%) followed by remote code execution (30%) and a tie between denial of service (10%) and information disclosure (10%).

 

Windows products received the most patches this month with 41, followed by Extended Security Update (ESU) with 28 and Azure with 6.

Critical Vulnerabilities Affect Windows Hyper-V

CVE-2024-21407 is a Critical remote code execution (RCE) vulnerability affecting Microsoft Windows Hyper-V and has a CVSS score of 8.1. Successful exploitation of this vulnerability would allow the attacker to launch code execution on the host server from a Hyper-V guest. This vulnerability would require the attacker to be authenticated on a guest virtual machine and then send specially crafted operation requests aimed at the host. Successful exploitation requires a high level of attack complexity, but can result in code execution on the server and should be patched without delay.

CVE-2024-21408 is a Critical denial of service (DoS) vulnerability affecting Microsoft Windows Hyper-V and has a CVSS score of 5.5. Successful exploitation of this vulnerability allows an attacker to target a Hyper-V guest virtual machine, which can affect the functionality of the Hyper-V host. Because this is a local DoS attack, Microsoft deems exploitation less likely.

Severity	CVSS Score	CVE	Description
Critical	8.1	CVE-2024-21407	Windows Hyper-V Remote Code Execution Vulnerability
Critical	5.5	CVE-2024-21408	Windows Hyper-V Denial of Service Vulnerability

Table 1. Critical vulnerabilities in Windows Hyper-V

Not All Relevant Vulnerabilities Have Patches: Consider Mitigation Strategies

As we have learned with other notable vulnerabilities, such as Log4j, not every highly exploitable vulnerability can be easily patched. As is the case for the ProxyNotShell vulnerabilities, it’s critically important to develop a response plan for how to defend your environments when no patching protocol exists.

Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at your organization’s methods for cybersecurity and improve your overall security posture.

The CrowdStrike Falcon^® platform regularly collects and analyzes trillions of endpoint events every day from millions of sensors deployed across 176 countries. Watch this demo to see the Falcon platform in action.

Learn More

Learn more about how CrowdStrike Falcon^® Exposure Management can help you quickly and easily discover and prioritize vulnerabilities and other types of exposures here.

About CVSS Scores

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article. 

Additional Resources

• For more information on which products are in Microsoft’s Extended Security Updates program, refer to the vendor guidance here.
• Read the CrowdStrike 2024 Global Threat Report to learn how the threat landscape has shifted in the past year and understand the adversary behavior driving these shifts.
• See how Falcon Exposure Management can help you discover and manage vulnerabilities and other exposures in your environments. 
• Learn how CrowdStrike’s external attack surface module, CrowdStrike® Falcon Surface, can discover unknown, exposed and vulnerable internet-facing assets, enabling security teams to stop adversaries in their tracks.
• Learn how CrowdStrike Falcon® Identity Protection products can stop workforce identity threats faster. 
• Make prioritization painless and efficient. Watch how CrowdStrike Falcon® Spotlight enables IT staff to improve visibility with custom filters and team dashboards. 
• Test CrowdStrike next-gen antivirus for yourself with a free trial of CrowdStrike® Falcon Prevent.

Microsoft has released security updates for 73 vulnerabilities for its February 2024 Patch Tuesday rollout. These include two actively exploited zero-days (CVE-2024-21412 and CVE-2024-21351), both of which are security feature bypass flaws. Five of the vulnerabilities addressed today are rated Critical while the remaining 68 are rated Important or Moderate.

February 2024 Risk Analysis

This month’s leading risk type is remote code execution (41%) followed by elevation of privilege (22%) and spoofing (14%).

 

Windows products received the most patches this month with 44, followed by Extended Security Update (ESU) with 32 and Azure with 9.

Actively Exploited Zero-Day Vulnerability Affecting Internet Shortcut Files

Internet Shortcut Files has received a patch for CVE-2024-21412, which has a severity of Important and a CVSS score of 8.1. This vulnerability allows an unauthenticated attacker to bypass a security feature called “Mark of the Web” (MotW) warnings on Windows machines. The targeted user would need to be convinced to click on a specially crafted file that is designed to bypass the displayed security checks. According to Microsoft, the proof-of-concept kit for exploiting the vulnerability has not been publicly disclosed.

Severity	CVSS Score	CVE	Description
Important	8.1	CVE-2024-21412	Internet Shortcut Files Security Feature Bypass Vulnerability

Table 1. Zero-day in Internet Shortcut Files

Actively Exploited Zero-Day Vulnerability Affecting Windows SmartScreen

Windows SmartScreen has received a patch for CVE-2024-21351, which has a severity of Moderate and a CVSS score of 7.6. This security feature bypass vulnerability on Windows Defender SmartScreen can potentially lead to partial data exposure and/or issues with system availability. The attacker would need to convince the user to open a malicious file that could bypass SmartScreen and potentially gain code execution. According to Microsoft, the proof-of-concept kit for exploiting the vulnerability has not been publicly disclosed.

Severity	CVSS Score	CVE	Description
Moderate	7.6	CVE-2024-21351	Windows SmartScreen Security Feature Bypass Vulnerability

Table 2. Zero-day in Windows SmartScreen

Critical Vulnerabilities Affecting Microsoft Windows, Extended Security Update, Dynamics, Exchange Server and Microsoft Office

CVE-2024-21410 is a Critical elevation of privilege (EoP) vulnerability affecting Microsoft Exchange Server and has a CVSS score of 9.8. An attacker that successfully exploits this vulnerability can relay a user’s leaked Net-NTLMv2 hash against a vulnerable Exchange server and be authenticated as that user. NTLM hashes are important for gaining account access due to the use of challenge-response protocols in secure authentication. This vulnerability potentially allows attackers to crack NTLM hashes or deploy an NTLM relay attack.

Prior to the Exchange Server 2019 Cumulative Update 14 (CU14), Exchange Server did not enable relay protections for NTLM credentials (called Extended Protection for Authentication or EPA) by default, which would have protected against one of the attack types mentioned earlier. Microsoft has provided a “Exchange Server Health Checker script” that provides an overview of the Extended Protection status of the customer’s Exchange server.

CVE-2024-21413 is a Critical remote code execution (RCE) vulnerability affecting Microsoft Outlook and has a CVSS score of 9.8. Successful exploitation of this vulnerability allows the attacker to send a maliciously crafted link that bypasses the security feature. This can lead to credential exposure and RCE, enabling attackers to gain privileged functionality.

CVE-2024-21380 is a Critical information disclosure vulnerability affecting Microsoft Dynamics Business Central (formerly known as Dynamics NAV) and has a CVSS score of 8.0. This vulnerability could allow the attacker to gain the ability to interact with other SaaS tenants’ applications and content. The user would have to be convinced by the attacker to click on a specially crafted URL, and the execution would need to win a race condition for a successful exploitation. This can lead to unauthorized access to the victim’s account.

CVE-2024-21357 is a Critical RCE vulnerability affecting Windows Pragmatic General Multicast (PGM) network transport protocol and has a CVSS score of 7.6. The attack complexity is high due to the additional actions a threat actor would need to take for successful exploitation. Exploitation is limited to within the same network or virtual network systems that are connected.

CVE-2024-20684 is a Critical denial of service (DoS) vulnerability affecting Microsoft Windows Hyper-V and has a CVSS score of 6.5. Successful exploitation of this vulnerability allows an attacker to target a Hyper-V guest virtual machine, which can affect the functionality of the Hyper-V host. Because this is a local DoS attack, Microsoft deems exploitation less likely.

Severity	CVSS Score	CVE	Description
Critical	9.8	CVE-2024-21410	Microsoft Exchange Server Elevation of Privilege Vulnerability
Critical	9.8	CVE-2024-21413	Microsoft Outlook Remote Code Execution Vulnerability
Critical	8.0	CVE-2024-21380	Microsoft Dynamics Business Central/NAV Information Disclosure Vulnerability
Critical	7.5	CVE-2024-21357	Windows Pragmatic General Multicast (PGM) Remote Code Execution Vulnerability
Critical	6.5	CVE-2024-20684	Windows Hyper-V Denial of Service Vulnerability

Table 3. Critical vulnerabilities in Windows, ESU, Dynamics, Exchange Server and Microsoft Office

Not All Relevant Vulnerabilities Have Patches: Consider Mitigation Strategies

As we have learned with other notable vulnerabilities, such as Log4j, not every highly exploitable vulnerability can be easily patched. As is the case for the ProxyNotShell vulnerabilities, it’s critically important to develop a response plan for how to defend your environments when no patching protocol exists.

Regular review of your patching strategy should still be a part of your program, but you should also look more holistically at your organization’s methods for cybersecurity and improve your overall security posture.

The CrowdStrike Falcon^® platform regularly collects and analyzes trillions of endpoint events every day from millions of sensors deployed across 176 countries. Watch this demo to see the Falcon platform in action.

Learn More

Learn more about how CrowdStrike Falcon^® Exposure Management can help you quickly and easily discover and prioritize vulnerabilities and other types of exposures here.

About CVSS Scores

The Common Vulnerability Scoring System (CVSS) is a free and open industry standard that CrowdStrike and many other cybersecurity organizations use to assess and communicate software vulnerabilities’ severity and characteristics. The CVSS Base Score ranges from 0.0 to 10.0, and the National Vulnerability Database (NVD) adds a severity rating for CVSS scores. Learn more about vulnerability scoring in this article.

Additional Resources

• For more information on which products are in Microsoft’s Extended Security Updates program, refer to the vendor guidance here.
• Stay tuned for the CrowdStrike 2024 Global Threat Report — to be released on Feb. 21, 2024 — to learn how the threat landscape has shifted in the past year and understand the adversary behavior driving these shifts.
• See how Falcon Exposure Management can help you discover and manage vulnerabilities and other exposures in your environments. 
• Learn how CrowdStrike’s external attack surface module, CrowdStrike^® Falcon Surface, can discover unknown, exposed and vulnerable internet-facing assets, enabling security teams to stop adversaries in their tracks.
• Learn how CrowdStrike Falcon^® Identity Protection products can stop workforce identity threats faster. 
• Make prioritization painless and efficient. Watch how CrowdStrike Falcon^® Spotlight enables IT staff to improve visibility with custom filters and team dashboards. 
• Test CrowdStrike next-gen antivirus for yourself with a free trial of CrowdStrike^® Falcon Prevent.