CVE-2024-3388
4.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N
Summary
A vulnerability in the GlobalProtect Gateway in Palo Alto Networks PAN-OS software enables an authenticated attacker to impersonate another user and send network packets to internal assets. However, this vulnerability does not allow the attacker to receive response packets from those internal assets.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Palo Alto Networks | PAN-OS | 8.1.0 < 8.1.26 | affected |
| Palo Alto Networks | PAN-OS | 9.0.0 < 9.0.17-h4 | affected |
| Palo Alto Networks | PAN-OS | 9.1.0 < 9.1.17 | affected |
| Palo Alto Networks | PAN-OS | 10.1.0 < 10.1.11-h4 | affected |
| Palo Alto Networks | PAN-OS | 10.2.0 < 10.2.7-h3 | affected |
| Palo Alto Networks | PAN-OS | 11.0.0 < 11.0.3 | affected |
| Palo Alto Networks | PAN-OS | 11.1.0 | unaffected |
| Palo Alto Networks | Cloud NGFW | All | unaffected |
| Palo Alto Networks | Prisma Access | 10.2 < 10.2.4 | affected |
Weaknesses
- CWE-269: CWE-269 Improper Privilege Management
- CWE-863: CWE-863 Incorrect Authorization
Workarounds
You can enable the "Disable Automatic Restoration of SSL VPN" (Network > GlobalProtect Gateways > > GlobalProtect Gateway Configuration > Agent > Connection Settings) on PAN-OS firewalls with the GlobalProtect feature enabled to mitigate this vulnerability.
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.