Siemens RUGGEDCOM APE1808 devices configured with Palo Alto Networks Virtual NGFW

Act NowCVSS 10ICS-CERT ICSA-24-116-03Apr 19, 2024

SiemensManufacturing

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

CVE-2024-3400 in Palo Alto Networks PAN-OS affects Siemens RUGGEDCOM APE1808 devices when configured with Palo Alto Networks Virtual NGFW and GlobalProtect gateway or GlobalProtect portal enabled. The vulnerability allows remote code execution without authentication. Siemens recommends updating to the latest version of the Palo Alto Networks Virtual NGFW for RUGGEDCOM APE1808. As a workaround, disable GlobalProtect gateway and portal if not required (they are disabled by default), and customers with Threat Prevention can block attacks using specific threat IDs. Immediate network access restrictions are recommended.

What this means

What could happen

An attacker could remotely execute commands on the RUGGEDCOM APE1808 firewall appliance, potentially allowing them to intercept, modify, or block network traffic protecting your facility's control systems, or to compromise the device itself and use it as a pivot point into your OT network.

Who's at risk

Manufacturing facilities and utilities that operate RUGGEDCOM APE1808 appliances (industrial firewalls) as part of their OT network protection. This is particularly critical for sites where the appliance is deployed with GlobalProtect gateway or portal enabled to provide remote management or VPN access to control systems or engineering workstations.

How it could be exploited

An attacker on the internet can send a specially crafted request to the GlobalProtect gateway or portal interface (if enabled) on the RUGGEDCOM APE1808. The vulnerability allows remote code execution without authentication or user interaction, giving the attacker full control of the firewall.

Prerequisites

Network reachability to the RUGGEDCOM APE1808 on its management/GlobalProtect interface (typically ports 443, 8443, or 3956)
GlobalProtect gateway and/or GlobalProtect portal must be enabled on the device (disabled by default)
No authentication credentials required

Remotely exploitableNo authentication requiredLow complexity attackActively exploited (KEV)Extremely high EPSS score (94.3%)Affects network security perimeter device

Exploitability

Actively exploited — confirmed by CISA KEV

Metasploit module available — weaponized exploitView module ↗

Public Proof-of-Concept (PoC) on GitHub (10 repositories)

Affected products (1)

ProductAffected VersionsFix Status

RUGGEDCOM APE1808All versions with Palo Alto Networks Virtual NGFW configured with GlobalProtect gateway or GlobalProtect portal (or both).No fix yet

Remediation & Mitigation

0/5

Do now

0/4

HOTFIXContact Siemens customer support to receive and apply the latest Palo Alto Networks Virtual NGFW patch for RUGGEDCOM APE1808

WORKAROUNDDisable GlobalProtect gateway and GlobalProtect portal features on RUGGEDCOM APE1808 if they are not required for your operations (they are disabled by default)

WORKAROUNDIf you have Palo Alto Networks Threat Prevention subscription, enable threat protection using IDs 95187, 95189, and 95191 (Applications and Threats content version 8836-8695 or later) to block exploitation attempts

HARDENINGRestrict network access to RUGGEDCOM APE1808 management interfaces using firewall rules or access control lists; do not expose these interfaces to the internet

Long-term hardening

0/1

HARDENINGImplement network segmentation to isolate OT networks from business networks and the internet

CVEs (1)

CVE-2024-3400

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/306802f3-0e6a-407b-b7b8-f209733959c8

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.