In order to address a maximum-severity security hole affecting PAN-OS software that has been actively exploited in the wild, Palo Alto Networks has published hotfixes.
The critical vulnerability, identified as CVE-2024-3400 (CVSS score: 10.0), involves command injection in the GlobalProtect feature, which an unauthorized attacker might exploit to run arbitrary code on the firewall with root privileges.
The following versions have patches to address the issue:
- 10.2.9-h1 PAN-OS
- 11.0.4-h1 and 11.1.2-h3 of PAN-OS
Over the next few days, patches for further frequently used maintenance releases should become available.
“This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal (or both) and device telemetry enabled,” the business stated in its revised alert.
Additionally, it stated that although CVE-2024-3400 does not affect Cloud NGFW firewalls, it does affect particular PAN-OS versions and unique feature configurations of firewall virtual machines (VMs) that are deployed and managed by clients in the cloud.
Palo Alto Networks Unit 42 is monitoring the malicious behavior under the moniker Operation MidnightEclipse, however the precise origins of the threat actor taking advantage of the vulnerability are currently unknown.
Volexity reported that CVE-2024-3400 has been used from at least March 26, 2024, to deploy a Python-based backdoor called UPSTYLE on the firewall that permits the execution of arbitrary commands via specially crafted requests. Volexity attributed it to a cluster known as UTA0218.
The extent of the exploitation remains unclear, however, the threat intelligence firm reported seeing “evidence of potential reconnaissance activity involving more widespread exploitation aimed at identifying vulnerable systems.”
UTA0218 has been seen to use extra payloads in attacks that have been reported so far in order to start reverse shells, steal PAN-OS configuration information, erase log files, and use the Golang tunneling program GOST (GO Simple Tunnel).
Although it’s unclear if this is intentional or the result of early notice and response, no more follow-up malware or persistence techniques are reported to have been installed on victim networks.
MANAGED CYBERSECURITY SOLUTIONS
Rhyno delivers a range of activities that combine to fully protect your infrastructure and data from cybercriminals, anywhere and everywhere, 24/7/365.
About Rhyno Cybersecurity Services
Rhyno Cybersecurity is a Canadian-based company focusing on 24/7 Managed Detection and Response, Penetration Testing, Enterprise Cloud, and Cybersecurity Solutions for small and midsize businesses.
Our products and services are robust, innovative, and cost-effective. Underpinned by our 24x7x365 Security Operations Centre (SOC), our experts ensure you have access to cybersecurity expertise when you need it the most.