¶ PAN Guidance for CVE-2024-3400
Given the ongoing nature of mitigating/ remediating this vulnerability, Secure-ISS provides the following guidance in relation to a security policy setting to mitigate the attack vector identified in CVE-2024-3400.
¶ Update 18/04/2024 - 12:10pm (AEST)
Given the ongoing nature of the exploit, please see flow chart to evaluate if your PAN device may be compromised.
Please reach out to our team should you require further assistance.
¶ Vulnerability protection - Mitigation
Information provided here is provided as is with no warranty. Should you require further assistance with tailoring this policy to your environment please reach out to our team soc@secure-iss.com.
Apply a Vulnerability protection file to your Intrazone default rule or apply similiar to the below. Please replace any [] text in the below with your own values.
set rulebase security rules "Block Incoming Attacks to WAN Interfaces" profile-setting group *\[PROFILE GROUP NAME HERE] */
set rulebase security rules "Block Incoming Attacks to WAN Interfaces" to *\[Security Zone of the Global Protect WAN Interfaces] */
set rulebase security rules "Block Incoming Attacks to WAN Interfaces" from *\[Security Zone of the Global Protect WAN Interfaces] */
set rulebase security rules "Block Incoming Attacks to WAN Interfaces" source any
set rulebase security rules "Block Incoming Attacks to WAN Interfaces" destination any
set rulebase security rules "Block Incoming Attacks to WAN Interfaces" source-user any
set rulebase security rules "Block Incoming Attacks to WAN Interfaces" category any
set rulebase security rules "Block Incoming Attacks to WAN Interfaces" application any
set rulebase security rules "Block Incoming Attacks to WAN Interfaces" service any
set rulebase security rules "Block Incoming Attacks to WAN Interfaces" source-hip any
set rulebase security rules "Block Incoming Attacks to WAN Interfaces" destination-hip any
set rulebase security rules "Block Incoming Attacks to WAN Interfaces" action allow
set rulebase security rules "Block Incoming Attacks to WAN Interfaces" log-setting *\[log forwarding profile name] */
set rulebase security rules "Block Incoming Attacks to WAN Interfaces" rule-type intrazone
set rulebase security rules "Block Incoming Attacks to WAN Interfaces" description "Protects the Palo Alto from direct attacks to itself, all other traffic once natted should not meet the Destination Zone criteria post-nat. "
Note: The Security Profile Group specified should include a Vulnerability Protection profile of the default profile “Strict” or equivalent (Should reset High or Critical Severity threats)