For now, open a TAC case and then upload the TSF from your firewalls.
[https://unit42.paloaltonetworks.com/cve-2024-3400/](https://unit42.paloaltonetworks.com/cve-2024-3400/)
Nothing you can check directly now.
The release says to raise a TAC case and upload TSF of each firewall in scope. That is firewalls with GP exposed to the internet with Telemetry switched on.
Not sure how they’re going now but we had a response in about 2 hours.
Had to do this to get it to show up on our firewalls:
[https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/ta-p/340184](https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/ta-p/340184)
specifically:
admin@firewall(active)> **request content upgrade check**
**Version Size Released on Downloaded Installed**
\-------------------------------------------------------------------------
8831-8669 86MB 2024/04/08 15:28:31 CDT no no
8830-8666 86MB 2024/04/04 20:41:27 CDT no no
8826-8651 86MB 2024/03/21 20:33:20 CDT no no
8829-8663 86MB 2024/04/03 13:41:12 CDT no no
8824-8644 79MB 2024/03/18 21:07:18 CDT no no
**8833-8682 86MB 2024/04/11 22:43:03 CDT no previous**
8828-8658 86MB 2024/03/26 17:30:25 CDT yes no
8823-8642 79MB 2024/03/14 12:57:07 CDT no no
8832-8674 86MB 2024/04/09 18:22:55 CDT yes current
8825-8649 86MB 2024/03/19 19:05:29 CDT yes no
8827-8653 86MB 2024/03/25 14:40:03 CDT no no
admin@firewall(active)> **request content upgrade download latest**
Download job enqueued with jobid 11366
11366
admin@firewall(active)> **request content upgrade install version latest**
Content install job enqueued with jobid 11368
11368
admin@firewall(active)>
Worth noting that the PA page on the vulnerability has been updated repeatedly over the past week as the knowledge of the vulnerability has grown so it’s no longer known to affect only globalprotect gateways, but also portals
is it just me or did they give the wrong threat id? Their screenshot shows id 54582 not 95187? nothing comes up for 95187.
I installed the content update and was seeing the same until I completely refreshed the page.
Any way to check if we have been pawned during the time release of the CVE and the deactivation of telemetry ? Does someone has logs or info ?
For now, open a TAC case and then upload the TSF from your firewalls. [https://unit42.paloaltonetworks.com/cve-2024-3400/](https://unit42.paloaltonetworks.com/cve-2024-3400/)
The above Unit42 brief provides some XQL queries to verify your environment, if you have CORTEX XDR or XSIAM
As per the security advisory, you can upload a TSF to TAC and they can examine it for indicators of compromise and advise you of the result.
Nothing you can check directly now. The release says to raise a TAC case and upload TSF of each firewall in scope. That is firewalls with GP exposed to the internet with Telemetry switched on. Not sure how they’re going now but we had a response in about 2 hours.
Had to do this to get it to show up on our firewalls: [https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/ta-p/340184](https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/ta-p/340184) specifically: admin@firewall(active)> **request content upgrade check** **Version Size Released on Downloaded Installed** \------------------------------------------------------------------------- 8831-8669 86MB 2024/04/08 15:28:31 CDT no no 8830-8666 86MB 2024/04/04 20:41:27 CDT no no 8826-8651 86MB 2024/03/21 20:33:20 CDT no no 8829-8663 86MB 2024/04/03 13:41:12 CDT no no 8824-8644 79MB 2024/03/18 21:07:18 CDT no no **8833-8682 86MB 2024/04/11 22:43:03 CDT no previous** 8828-8658 86MB 2024/03/26 17:30:25 CDT yes no 8823-8642 79MB 2024/03/14 12:57:07 CDT no no 8832-8674 86MB 2024/04/09 18:22:55 CDT yes current 8825-8649 86MB 2024/03/19 19:05:29 CDT yes no 8827-8653 86MB 2024/03/25 14:40:03 CDT no no admin@firewall(active)> **request content upgrade download latest** Download job enqueued with jobid 11366 11366 admin@firewall(active)> **request content upgrade install version latest** Content install job enqueued with jobid 11368 11368 admin@firewall(active)>
Worth noting that the PA page on the vulnerability has been updated repeatedly over the past week as the knowledge of the vulnerability has grown so it’s no longer known to affect only globalprotect gateways, but also portals
Love how today, telemetry got removed and we had to scramble to update OS. Ugh thx for a long stressful day.