A critical zero-day vulnerability exploit (CVE-2024-3400) has been disclosed [2], affecting Palo Alto Networks’ PAN-OS firewall software with a CVSS score of 10.0 [2].
Description
This vulnerability allows unauthenticated attackers to execute arbitrary code with root privileges on affected firewalls [2] [3] [6] [7] [10]. Specifically impacting the GlobalProtect gateway feature on versions 10.2, 11.0 [2], and 11.1 with device telemetry enabled, patches are expected by April 14, 2024 for versions 10.2.9-h1, 11.0.4-h1 [2], and 11.1.2-h3 to address this issue. Limited in-the-wild attacks have been confirmed [2], prompting organizations to apply hotfixes immediately or implement recommended mitigations to reduce the attack surface [2]. The threat actor [6] [9], identified as ‘UTA0218’ by Volexity [6], has been conducting reconnaissance activities and exploiting the vulnerability in an exploitation campaign known as “Operation MidnightEclipse.” Additionally, a separate vulnerability (CVE-2024-3385) affecting PA-5400 and PA-7000 Series firewalls has been discovered [7], allowing remote attackers to reboot hardware-based firewalls and potentially launch denial of service attacks [7]. This issue has been addressed in PAN-OS versions 9.0.17-h4, 9.1.17, 10.1.12, 10.2.8 [7], and 11.0.3 [1] [3] [4] [5] [6] [7] [8] [10]. Cloud NGFW firewalls are not impacted [3], but specific PAN-OS versions in customer-managed cloud deployments are affected [3]. The Cybersecurity and Infrastructure Security Agency (CISA) has added the CVE-2024-3400 vulnerability to its Known Exploited Vulnerabilities Catalog, urging organizations to deploy recommended mitigations and review their devices for compromise [4]. Signs of compromise can be checked by uploading technical support files to the customer support portal [1]. Digital Hands is identifying vulnerable configurations for managed customers and will provide hotfix releases to address the issue [10].
Conclusion
Organizations are advised to take immediate action to apply patches, implement recommended mitigations [2] [4], and review their devices for compromise to mitigate the impact of these vulnerabilities and prevent potential attacks in the future.
References
[1] https://www.techtarget.com/searchsecurity/news/366580732/Palo-Alto-Networks-discloses-RCE-zero-day-vulnerability
[2] https://securityonline.info/cve-2024-3400-cvss-10-critical-0-day-flaw-in-palo-alto-networks-firewall-software-exploited-in-the-wild/
[3] https://securityadvisories.paloaltonetworks.com/CVE-2024-3400
[4] https://arstechnica.com/security/2024/04/highly-capable-hackers-root-corporate-networks-by-exploiting-firewall-0-day/
[5] https://cyber.vumetric.com/security-news/2024/04/12/zero-day-alert-critical-palo-alto-networks-pan-os-flaw-under-active-attack/
[6] https://cybersocialhub.com/csh/state-sponsored-hackers-exploit-zero-day-to-backdoor-palo-alto-networks-firewalls/
[7] https://www.infosecurity-magazine.com/news/palo-alto-critical-zero-day/
[8] https://www.cisa.gov/news-events/alerts/2024/04/12/palo-alto-networks-releases-guidance-vulnerability-pan-os-cve-2024-3400
[9] https://www.scmagazine.com/news/palo-alto-networks-pan-os-critical-0-day-exploited-no-patch-yet
[10] https://blog.digitalhands.com/cve-2024-3400-palo-alto-networks-command-injection-vulnerability
