Palo Alto Networks and Unit 42 are currently investigating a critical zero-day vulnerability, CVE-2024-3400 [1] [2] [4] [5] [6] [7] [8], in PAN-OS software [1] [3] [6], allowing unauthorized actors to execute code with root privileges on firewalls running PAN-OS 10.2, 11.0 [1] [3], and 11.1 with GlobalProtect configurations enabled [1] [3].

Description

This vulnerability, with a CVSS score of 10.0 [6], has been actively exploited by threat actors since March 26, 2024, in targeted attacks known as Operation MidnightEclipse [6] [7]. The attackers, attributed to threat actor UTA0218, have been observed deploying a Python-based backdoor named UPSTYLE on vulnerable devices to execute commands and maintain access [1]. Volexity researchers have detected successful exploitation at multiple organizations [7], with attackers using the backdoor to download additional tools for lateral movement and credential theft [7]. The backdoor has multiple layers and uses a cronjob to access commands hosted on external servers [3], executing commands encoded in the sslvpnngxerror.log file and writing the output to bootstrap.min.css before restoring the original file contents [3]. The threat actor behind Operation MidnightEclipse has automation built into the backdoor, overwriting files after 15 seconds to avoid detection and executing commands such as copying configuration files to a web application folder and exfiltrating them via HTTP requests [3]. An IP address associated with the threat actor was observed attempting to access a specific configuration file believed to be a VPN configuration [3]. Palo Alto Networks is currently working on a hotfix to address the vulnerability [2], with mitigation recommendations including enabling Threat ID 95187 and applying vulnerability protection to the GlobalProtect interface [2]. Customers are advised to disable features related to the vulnerability and remain vigilant for potential malicious activity on their devices [2]. CISA has reported active exploitation of this vulnerability in the wild and encourages users and administrators to review the Palo Alto Networks Security Advisory [4], apply the current mitigations [4], and update the affected software when fixes become available [4]. CISA has also added this vulnerability to its Known Exploited Vulnerabilities Catalog [4] [5], urging federal agencies to apply the patch by April 19 to mitigate the threat [5].

Conclusion

The exploitation of this vulnerability poses significant risks to organizations, with potential for data breaches and unauthorized access. Mitigation efforts, such as applying the recommended hotfix and enabling threat protections, are crucial to safeguarding against these threats. Continued vigilance and prompt action are essential to protect against future attacks and ensure the security of network infrastructure.

References

[1] https://securityaffairs.com/161844/apt/palo-alto-pan-os-python-backdoor.html
[2] https://www.scmagazine.com/news/palo-alto-networks-pan-os-critical-0-day-exploited-no-patch-yet
[3] https://unit42.paloaltonetworks.com/cve-2024-3400/
[4] https://www.cisa.gov/news-events/alerts/2024/04/12/palo-alto-networks-releases-guidance-vulnerability-pan-os-cve-2024-3400
[5] https://www.techradar.com/pro/security/major-palo-alto-security-flaw-is-being-exploited-via-python-zero-day-backdoor
[6] https://www.infosecurity-magazine.com/news/palo-alto-networks-zero-day-flaw/
[7] https://www.helpnetsecurity.com/2024/04/12/palo-alto-networks-firewalls-cve-2024-3400-exploited/
[8] https://www.tenable.com/blog/cve-2024-3400-zero-day-vulnerability-in-palo-alto-networks-pan-os-globalprotect-gateway