Security Advisories April 2024 #2

Immediate Actions Required:

In earlier versions of this advisory, disabling device telemetry was listed as a secondary mitigation action. Disabling device telemetry is no longer an effective mitigation. Device telemetry does not need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability. Affected Systems:
  • PAN-OS Firewalls running version 10.2 or higher with GlobalProtect Portal or Gateway configured.
If you are affected, please follow these steps: 1. Generate Tech Support File:
  • Navigate to Device -> Support -> Generate Tech Support File to create and download the support file.
2. Update Firewall:
  • Preferably, upgrade your firewall to a version that is documented in the CVE. If upgrading is not immediately possible, enhance your security by:
    • Enabling the vulnerability protection profile for rules allowing traffic to the portal/gateway.
  • Ensuring the signatures 95187, 95189, and 95191 are set to reset or drop.
3. Check for Compromises:
  • Run the following command to detect potential command injection attacks: grep pattern "failed to unmarshal session(.+./" mp-log gpsvc.log*
  • If there are any results, open a case with NTS OC immediately by email support@nts.eu
 
Important Note:
After a PAN-OS system upgrade your system logs might have been compressed and the command mentioned earlier will not yield results. If you suspect a compromise, contact NTS immediately. Please attach the tech support files from your affected firewalls to facilitate the investigation. Do not hesitate to contact our support team. You can reach us at support@nts.eu or open a ticket with NTS directly. If you are a Palo Alto Managed Service customer of NTS, our colleagues have done the necessary steps already or have reached out to you regarding an update window. For details and updates please visit the corresponding Palo Alto Security Advisory or contact us via support@nts.eu.