Palo Alto Networks Releases Urgent Fixes for Exploited PAN-OS Vulnerability

Palo Alto Networks has released hotfixes to address a maximum-severity security flaw impacting PAN-OS software that has come under active exploitation in the wild.

Tracked as CVE-2024-3400 (CVSS score: 10.0), the critical vulnerability is a case of command injection in the GlobalProtect feature that an unauthenticated attacker could weaponize to execute arbitrary code with root privileges on the firewall.

Fixes for the shortcoming are available in the following versions -

• PAN-OS 10.2.9-h1
• PAN-OS 11.0.4-h1, and
• PAN-OS 11.1.2-h3

Patches for other commonly deployed maintenance releases are expected to be released over the next few days.

“This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal (or both) and device telemetry enabled,” the company clarified in its updated advisory.

It also said that while Cloud NGFW firewalls are not impacted by CVE-2024-3400, specific PAN-OS versions and distinct feature configurations of firewall VMs deployed and managed by customers in the cloud are affected.

The exact origins of the threat actor exploiting the flaw are presently unknown but Palo Alto Networks Unit 42 is tracking the malicious activity under the name Operation MidnightEclipse.

Volexity, which attributed it to a cluster dubbed UTA0218, said CVE-2024-3400 has been leveraged since at least March 26, 2024, to deliver a Python-based backdoor called UPSTYLE on the firewall that allows for the execution of arbitrary commands via specially crafted requests.

It is unclear how widespread the exploitation has been, but the threat intelligence firm said it has “evidence of potential reconnaissance activity involving more widespread exploitation aimed at identifying vulnerable systems.”

In attacks documented to date, UTA0218 has been observed deploying additional payloads to launch reverse shells, exfiltrate PAN-OS configuration data, remove log files, and deploy the Golang tunneling tool named GOST (GO Simple Tunnel).

No other follow-up malware or persistence methods are said to have been deployed on victim networks, although it’s unknown if it’s by design or due to early detection and response.

Update

Palo Alto Networks has released additional patches to remediate CVE-2024-3400 -

• PAN-OS 10.2.8-h3
• PAN-OS 10.2.7-h8
• PAN-OS 10.2.6-h3
• PAN-OS 11.0.3-h10
• PAN-OS 11.0.2-h4
• PAN-OS 11.1.1-h1, and
• PAN-OS 11.1.0-h3

The company has also provided a CLI command that users can run to hunt signs of potential compromise: “grep pattern “failed to unmarshal session(.\+./” mp-log gpsvc.log*”

“If the value between ‘session(’ and ‘)’ does not look like a GUID [e.g., 01234567-89ab-cdef-1234-567890abcdef], but instead contains a file system path, this indicates the need for further investigation and the log entry could be related to the successful or unsuccessful exploitation of CVE-2024-3400,” Palo Alto Networks said.

Technical details and proof-of-concept (PoC) exploit code related to the flaw have been made available by WatchTowr and Rapid7, with the latter describing it as consisting of an arbitrary file creation vulnerability and a command injection bug.

“When device telemetry is enabled, a device certificate must be installed for device telemetry to successfully transmit telemetry data back to Palo Alto Networks,” Rapid7 said. “This transmission of data functionality is where the command injection vulnerability lies, [and] the command injection vulnerability could not be triggered without a valid device certificate installed.”

Found this article interesting? Follow us on Twitter  and LinkedIn to read more exclusive content we post.