Security Leader’s TLDR: PAN Global Protect Zero Day

Updated 4/17 to include the latest mitigation advice

Another quarter another major VPN-related issue, this time being Palo Alto Networks’ Global Protect. The analysis is still ongoing, and some analysis is being held back until after patches are made available, but as of Wednesday, April 17th, here are the key facts:

Impact and Patch Timeline

• The exploit allows for remote code execution with what seems to be root level access to the Global Protect Appliance.
• Cloud NGFW deployments are not impacted, only on-premise appliances.
• The only currently supported version of PAN-OS that is NOT impacted is Version 10.1. (This means Versions 10.2 through 11.1 are impacted.) While out-of-date PAN-OS versions are not impacted, we never recommend running software that is not currently supported by the manufacturer.
• Hotfix releases are available for PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and in all later PAN-OS versions. Hotfixes for other commonly deployed maintenance releases will also be made available.

Mitigation Options

• Enabling Palo Alto Threat IDs 95187, 95189, and 95191 (available in Applications and Threats content version 8836-8695 and later) to force dropping and blocking traffic in a firewall rule for incoming traffic to your Global Protect appliance (if you have a valid Threat Prevention subscription) blocks this vulnerability from being exploited.

Cyber Resilience Recommendations 

Unfortunately, publicly available evidence and analysis suggest that this vulnerability has been exploited for weeks (if not months) which means that even taking steps to mitigate this attack and later updating to patched versions of PAN-OS cannot protect your network from malicious actors who have already exploited this and now have other access into your environment. 

Volexity has specific recommendations based on one or more actual incidents, but in general, Deepwatch strongly recommends:

• Utilize a firewall rule to limit access to the VPN concentrator to appropriate protocols, geographies, and any other restrictions that work for your end-user VPN configuration.
• Review security telemetry, logs, and other available data for evidence of a back door, unauthorized software installation, or other persistence and network traversal evidence – even beyond the specific IOCs shared by Volexity.
• Remember to review the logs going back through at least March for these indicators, and check back as more investigative details are shared to see if you should expand the search.
• Evaluate your network topology and security design for opportunities to reduce, isolate, or eliminate VPNs as they remain one of the most highly targeted parts of your attack surface. 
• Patch for this vulnerability at your earliest opportunity now that hot fixes have been released.

Additional Resources

Deepwatch has published an updated Customer Advisory with additional information and links to share with practitioners.

↑