CVE-2024-2550
📋 TL;DR
An unauthenticated attacker can send a specially crafted packet to Palo Alto Networks PAN-OS GlobalProtect gateways, causing a null pointer dereference that stops the GlobalProtect service. Repeated exploitation forces the firewall into maintenance mode, creating a denial of service. Organizations using affected PAN-OS versions with GlobalProtect enabled are vulnerable.
💻 Affected Systems
- Palo Alto Networks PAN-OS
📦 What is this software?
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
⚠️ Risk & Real-World Impact
Worst Case
Firewall enters maintenance mode, disrupting all GlobalProtect VPN connectivity and potentially affecting other firewall services, requiring manual intervention to restore functionality.
Likely Case
GlobalProtect service crashes, interrupting VPN access for remote users until service restart or firewall reboot.
If Mitigated
If patched or workarounds applied, no impact beyond normal packet processing.
🎯 Exploit Status
Unauthenticated remote exploitation with simple packet crafting makes this attractive for attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: PAN-OS 11.1.2-h3, PAN-OS 11.0.4-h1, PAN-OS 10.2.9-h1
Vendor Advisory: https://security.paloaltonetworks.com/CVE-2024-2550
Restart Required: Yes
Instructions:
1. Download appropriate hotfix from Palo Alto support portal. 2. Upload to firewall. 3. Install hotfix via CLI or WebUI. 4. Commit changes. 5. Reboot firewall.
🔧 Temporary Workarounds
Disable GlobalProtect Gateway
allTemporarily disable GlobalProtect gateway service if VPN access can be suspended
Restrict Access to GlobalProtect Ports
allLimit source IP addresses that can connect to GlobalProtect service (default port 443)
🧯 If You Can't Patch
- Implement strict network ACLs to limit GlobalProtect access to trusted IP ranges only
- Monitor GlobalProtect service health and implement automated restart scripts for service recovery
🔍 How to Verify
Check if Vulnerable:
Check PAN-OS version via CLI: show system info | match version. Compare against affected versions list.Check Version:
show system info | match versionVerify Fix Applied:
Verify installed version matches patched versions. Check GlobalProtect service status: show global-protect-gateway statistics.📡 Detection & Monitoring
Log Indicators:
- GlobalProtect service crash logs
- Firewall entering maintenance mode events
- Repeated connection attempts to GlobalProtect port 443
Network Indicators:
- Multiple malformed packets to GlobalProtect port
- Sudden drop in GlobalProtect VPN connections
SIEM Query:
source="pan-firewall" (event_type="system" AND message="*GlobalProtect*crash*") OR (event_type="system" AND message="*maintenance*mode*")