""ET WEB_SPECIFIC_APPS Palo Alto GlobalProtect Session Cookie Command Injection Attempt (CVE-2024-3400)""

SID: 2052122

Revision: 2

Class Type: trojan-activity

Metadata: affected_product Palo_Alto_Networks, attack_target Networking_Equipment, tls_state TLSDecrypt, created_at 2024_04_16, cve CVE_2024_3400, deployment Perimeter, deployment Internal, deployment SSLDecrypt, performance_impact Low, confidence High, signature_severity Major, updated_at 2024_05_17, mitre_tactic_id TA0008, mitre_tactic_name Lateral_Movement, mitre_technique_id T1210, mitre_technique_name Exploitation_Of_Remote_Services

Reference:

• Link

Protocol: tcp

Source Network: any

Source Port: any

Destination Network: $HOME_NET

Destination Port: $HTTP_PORTS

Flow: established,to_server

Contents:

• Value: "Cookie|3a 20|SESSID="

• Value: "/opt/panlogs/tmp/device_telemetry/"

Within:

PCRE: "/^SESSID\x3d.\/opt\/panlogs\/tmp\/device_telemetry\/.(?:\x60|\x7b).*(?:\x24\x7bIFS\x7d|\x2c)/C"

Special Options:

source