Palo Alto Networks 发布了关于 PAN-OS 软件中 GlobalProtect 网关的漏洞 CVE-2024-3388 的安全公告。该漏洞允许经过身份验证的攻击者冒充其他用户，并向内部资产发送网络数据包。然而，攻击者无法接收来自这些内部资产的响应数据包。

😄 **漏洞描述:** CVE-2024-3388 允许经过身份验证的攻击者冒充其他用户，并向内部资产发送网络数据包。攻击者无法接收来自这些内部资产的响应数据包。

🤔 **受影响版本:** 该漏洞影响 PAN-OS 8.1、9.0、9.1、10.1、10.2、11.0 和 11.1 版本，以及 Prisma Access 版本。受影响的具体版本请参考安全公告。

😎 **解决方案:** Palo Alto Networks 已发布了针对该漏洞的修复程序，建议用户尽快升级到受影响版本的最新版本。

😉 **缓解措施:** 用户可以启用“禁用 SSL VPN 自动恢复”选项（Network > GlobalProtect Gateways > > GlobalProtect Gateway Configuration > Agent > Connection Settings）来缓解该漏洞。

😇 **时间线:** 2024 年 4 月 10 日，Palo Alto Networks 发布了安全公告。

Palo Alto Networks Security Advisories /CVE-2024-3388CVE-2024-3388 PAN-OS: User Impersonation in GlobalProtect SSL VPNUrgencyMODERATEResponse EffortLOWRecoveryAUTOMATICValue DensityDIFFUSEAttack VectorNETWORKAttack ComplexityLOWAttack RequirementsNONEAutomatableNOUser InteractionPASSIVEProduct ConfidentialityNONEProduct IntegrityLOWProduct AvailabilityNONEPrivileges RequiredLOWSubsequent ConfidentialityNONESubsequent IntegrityNONESubsequent AvailabilityNONENVDJSON Published2024-04-10 Updated2024-04-10ReferencePAN-224964DiscoveredexternallyDescriptionA vulnerability in the GlobalProtect Gateway in Palo Alto Networks PAN-OS software enables an authenticated attacker to impersonate another user and send network packets to internal assets. However, this vulnerability does not allow the attacker to receive response packets from those internal assets.Product StatusVersionsAffectedUnaffectedCloud NGFW NoneAllPAN-OS 11.1NoneAllPAN-OS 11.0< 11.0.3>= 11.0.3PAN-OS 10.2< 10.2.7-h3>= 10.2.7-h3PAN-OS 10.1< 10.1.11-h4>= 10.1.11-h4PAN-OS 9.1< 9.1.17>= 9.1.17PAN-OS 9.0< 9.0.17-h4>= 9.0.17-h4PAN-OS 8.1< 8.1.26>= 8.1.26Prisma Access < 10.2.4>= 10.2.4Required Configuration for ExposureThis issue applies only to PAN-OS firewall configurations with an enabled GlobalProtect gateway and where you are permitting use of the SSL VPN either as a fallback or as the only available tunnel mode. You should verify whether you have a configured GlobalProtect gateway by checking for entries in your firewall web interface (Network > GlobalProtect > Gateways). You can also verify:- Whether SSL VPN fallback is permitted (check to see if the "Disable Automatic Restoration of SSL VPN" option is disabled in the GlobalProtect Gateway Configuration dialog by selecting Agent > Connection Settings) or;- Whether SSL VPN is the only available tunnel mode (check to see if "Enable IPSec" is disabled (unchecked) in the GlobalProtect Gateway Configuration dialog by selecting Agent > Tunnel Settings).By default, both PAN-OS firewalls and Prisma Access use the SSL VPN only when the endpoint fails to successfully establish an IPSec tunnel.Severity:MEDIUMCVSSv4.0Base Score:5.1 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/AU:N/R:A/V:D/RE:L/U:Amber)Exploitation StatusPalo Alto Networks is not aware of any malicious exploitation of this issue.Weakness TypeCWE-269 Improper Privilege ManagementCWE-863 Incorrect AuthorizationSolutionThis issue is fixed in PAN-OS 8.1.26, PAN-OS 9.0.17-h4, PAN-OS 9.1.17, PAN-OS 10.1.11-h4, PAN-OS 10.2.7-h3, PAN-OS 11.0.3, and all later PAN-OS versions. This issue is fixed in Prisma Access 10.2.4 and later.Workarounds and MitigationsYou can enable the "Disable Automatic Restoration of SSL VPN" (Network > GlobalProtect Gateways > <gateway-config> > GlobalProtect Gateway Configuration > Agent > Connection Settings) on PAN-OS firewalls with the GlobalProtect feature enabled to mitigate this vulnerability.AcknowledgmentsPalo Alto Networks thanks Ta-Lun Yen of TXOne Networks for discovering and reporting this issue.Timeline2024-04-10Initial publication