Palo Alto Networks Releases Urgent Fixes for Exploited PAN-OS Vulnerability

Cyber Security

Products You May Like

Apr 15, 2024NewsroomFirewall Security / Vulnerability

Palo Alto Networks has released hotfixes to address a maximum-severity security flaw impacting PAN-OS software that has come under active exploitation in the wild.

Tracked as CVE-2024-3400 (CVSS score: 10.0), the critical vulnerability is a case of command injection in the GlobalProtect feature that an unauthenticated attacker could weaponize to execute arbitrary code with root privileges on the firewall.

Fixes for the shortcoming are available in the following versions –

  • PAN-OS 10.2.9-h1
  • PAN-OS 11.0.4-h1, and
  • PAN-OS 11.1.2-h3

Patches for other commonly deployed maintenance releases are expected to be released over the next few days.

Cybersecurity

“This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal (or both) and device telemetry enabled,” the company clarified in its updated advisory.

It also said that while Cloud NGFW firewalls are not impacted by CVE-2024-3400, specific PAN-OS versions and distinct feature configurations of firewall VMs deployed and managed by customers in the cloud are affected.

The exact origins of the threat actor exploiting the flaw are presently unknown but Palo Alto Networks Unit 42 is tracking the malicious activity under the name Operation MidnightEclipse.

Volexity, which attributed it to a cluster dubbed UTA0218, said CVE-2024-3400 has been leveraged since at least March 26, 2024, to deliver a Python-based backdoor called UPSTYLE on the firewall that allows for the execution of arbitrary commands via specially crafted requests.

It is unclear how widespread the exploitation has been, but the threat intelligence firm said it has “evidence of potential reconnaissance activity involving more widespread exploitation aimed at identifying vulnerable systems.”

In attacks documented to date, UTA0218 has been observed deploying additional payloads to launch reverse shells, exfiltrate PAN-OS configuration data, remove log files, and deploy the Golang tunneling tool named GOST (GO Simple Tunnel).

No other follow-up malware or persistence methods are said to have been deployed on victim networks, although it’s unknown if it’s by design or due to early detection and response.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.

Products You May Like

Articles You May Like

Realme 13 Pro+ 5G Monet Purple Colour Variant Launched in India: Availability, Offers
NASA’s SpaceX Crew-9 Mission Adjusts Crew Ahead of September Launch
New Cyberattack Targets Chinese-Speaking Businesses with Cobalt Strike Payloads
French Authorities Charge Telegram CEO Pavel Durov in Probe Into Organised Crime on App
Here’s How AI is Helping Astronomers to Understand Universe’s Fundamental Parameters

Leave a Reply

Your email address will not be published. Required fields are marked *