UPDATE 4/15/2024: Palo Alto Networks released hotfixes for CVE-2024-3400 in PAN-OS versions 10.2.9-h1, 11.0.4-h1 and 11.1.2-h3 on Sunday. The company also plans to ship hotfixes for commonly deployed maintenance releases of PAN-OS in the coming days, with estimated release dates between April 15 and April 19.
Original report on 4/12/2024:
Palo Alto Networks disclosed a maximum severity zero-day vulnerability in the Palo Alto Networks PAN-OS GlobalProtect feature that risks remote code execution (RCE) and is under exploitation by “a highly capable threat actor.”
The critical vulnerability, tracked as CVE-2024-3400, has a maximum CVSS score of 10 and has yet to receive a patch, with Palo Alto Networks estimating hotfixes will be ready by Sunday, April 14. The command injection flaw stemming from the GlobalProtect secure remote access feature could allow a remote, unauthenticated attacker to execute arbitrary code on PAN-OS firewall devices.
CVE-2024-3400 and its exploitation were discovered by researchers at Volexity, who were alerted to suspicious network traffic from two customers’ firewalls on Wednesday and Thursday. Volexity reported the flaw to Palo Alto Networks shortly after the first exploitation was discovered and Volexity and Palo Alto both disclosed the vulnerability publicly on Friday.
Further investigation determined the same threat actor, dubbed UTA0218, targeted both victims and managed to remotely exploit the PAN-OS firewalls, create a reverse shell and download additional tools onto the compromised devices.
“They quickly moved laterally through victims’ networks, extracting sensitive credentials and other files that would enable access during and potentially after the intrusion. The tradecraft and speed employed by the attacker suggests a highly capable threat actor with a clear playbook of what to access to further their objectives,” Volexity said.
Volexity also stated in its report that the exploitation may be coming from a state-sponsored actor. Additional investigation revealed that multiple other customers’ PAN-OS firewalls were exploited as early as March 26.
In at least two cases, the threat actor attempted to download a custom Python backdoor the researchers dubbed “UPSTYLE,” which would enable the threat actor to execute additional remote commands.
CVE-2024-3400 affects PAN-OS versions 11.1 from 11.1.2-h3 and earlier, 11.0 from 11.0.4-h1 and earlier, and 10.2 from 10.2.9-h1 and earlier.
For mitigation, Palo Alto Networks recommended customers with a Threat Prevention subscription block attacks by enabling the Threat ID 95187, and ensure vulnerability protection is applied to their GlobalProtect interface. Temporarily disabling device telemetry was also previously listed as a workaround for customers unable to apply the Threat Prevention mitigation. Update 4/17/2024: Palo Alto has updated its guidance, saying disabling device telemetry will not protect PAN-OS firewalls from attack.
“Organizations with vulnerable versions of the operating system should take immediate actions to mitigate the threat by disabling features related to the vulnerability, where possible, and should be preparing to patch as soon as possible when the hot fix is released, while keeping a vigilant watch for potential malicious network traffic or code execution on the devices,” Erich Kron, security awareness advocate at KnowBe4, said in an email to SC Media.
Palo Alto Networks also published its own brief on the exploitation campaign, which it dubbed “Operation MidnightEclipse.” The report notes that exploitation is currently limited to one threat actor, but that “additional threat actors may attempt exploitation in the future.”
CVE-2024-3400 was also added to the U.S. Cybersecurity & Infrastructure Security Agency’s (CISA) Known Exploited Vulnerability (KEV) catalog on Friday.
