Lucene search

The Hacker NewsTHN:4B3547320766863EC5C04C83F9A92BE9

HistoryApr 26, 2024 - 10:18 a.m.

Palo Alto Networks Outlines Remediation for Critical PAN-OS Flaw Under Attack

2024-04-2610:18:00

The Hacker News

thehackernews.com

palo alto networks

pan-os

critical security flaw

remote shell command execution

cve-2024-3400

zero-day

uta0218

operation midnighteclipse

python-based backdoor

state-backed hacking

remediation advice

hotfix

exfiltration

interactive command execution

private data reset

factory reset

10 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

8.1 High

AI Score

Confidence

Low

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.954 High

EPSS

Percentile

99.3%

JSON

Palo Alto Networks has shared remediation guidance for a recently disclosed critical security flaw impacting PAN-OS that has come under active exploitation.

The vulnerability, tracked as CVE-2024-3400 (CVSS score: 10.0), could be weaponized to obtain unauthenticated remote shell command execution on susceptible devices. It has been addressed in multiple versions of PAN-OS 10.2.x, 11.0.x, and 11.1.x.

There is evidence to suggest that the issue has been exploited as a zero-day since at least March 26, 2024, by a threat cluster tracked as UTA0218.

The activity, codenamed Operation MidnightEclipse, entails the use of the flaw to drop a Python-based backdoor called UPSTYLE that’s capable of executing commands transmitted via specially crafted requests.

The intrusions have not been linked to a known threat actor or group, but it’s suspected to be a state-backed hacking crew given the tradecraft and the victimology observed.

The latest remediation advice offered by Palo Alto Networks is based on the extent of compromise -

Level 0 Probe: Unsuccessful exploitation attempt - Update to the latest provided hotfix
Level 1 Test: Evidence of vulnerability being tested on the device, including the creation of an empty file on the firewall but no execution of unauthorized commands - Update to the latest provided hotfix
Level 2 Potential Exfiltration: Signs where files like “running_config.xml” are copied to a location that is accessible via web requests - Update to the latest provided hotfix and perform a Private Data Reset
Level 3 Interactive access: Evidence of interactive command execution, such as the introduction of backdoors and other malicious code - Update to the latest provided hotfix and perform a Factory Reset

“Performing a private data reset eliminates risks of potential misuse of device data,” Palo Alto Networks said. “A factory reset is recommended due to evidence of more invasive threat actor activity.”

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.