Palo Alto Networks disclosed a most severity zero-day vulnerability within the Palo Alto Networks PAN-OS GlobalProtect characteristic that dangers distant code execution (RCE) and is below exploitation by “a extremely succesful risk actor.”
The crucial vulnerability, tracked as CVE-2024-3400, has a most CVSS rating of 10 and has but to obtain a patch, with Palo Alto Networks estimating hotfixes can be prepared by Sunday, April 14. The command injection flaw stemming from the GlobalProtect safe distant entry characteristic might permit a distant, unauthenticated attacker to execute arbitrary code on PAN-OS firewall units.
CVE-2024-3400 and its exploitation had been found by researchers at Volexity, who had been alerted to suspicious community visitors from two prospects’ firewalls on Wednesday and Thursday. Volexity reported the flaw to Palo Alto Networks shortly after the primary exploitation was found and Volexity and Palo Alto each disclosed the vulnerability publicly on Friday.
Additional investigation decided the identical risk actor, dubbed UTA0218, focused each victims and managed to remotely exploit the PAN-OS firewalls, create a reverse shell and obtain extra instruments onto the compromised units.
“They shortly moved laterally by victims’ networks, extracting delicate credentials and different recordsdata that might allow entry throughout and doubtlessly after the intrusion. The tradecraft and pace employed by the attacker suggests a extremely succesful risk actor with a transparent playbook of what to entry to additional their targets,” Volexity stated.
Volexity additionally said in its report that the exploitation could also be coming from a state-sponsored actor. Further investigation revealed that a number of different prospects’ PAN-OS firewalls had been exploited as early as March 26.
In at the least two instances, the risk actor tried to obtain a customized Python backdoor the researchers dubbed “UPSTYLE,” which might allow the risk actor to execute extra distant instructions.
CVE-2024-3400 impacts PAN-OS variations 11.1 from 11.1.2-h3 and earlier, 11.0 from 11.0.4-h1 and earlier, and 10.2 from 10.2.9-h1 and earlier.
For mitigation, Palo Alto Networks really useful prospects with a Menace Prevention subscription block assaults by enabling the Menace ID 95187, and guarantee vulnerability safety is utilized to their GlobalProtect interface. Briefly disabling machine telemetry can be listed as a workaround for patrons unable to use the Menace Prevention mitigation.
“Organizations with susceptible variations of the working system ought to take fast actions to mitigate the risk by disabling options associated to the vulnerability, the place attainable, and needs to be getting ready to patch as quickly as attainable when the recent repair is launched, whereas retaining a vigilant look ahead to potential malicious community visitors or code execution on the units,” Erich Kron, safety consciousness advocate at KnowBe4, stated in an electronic mail to SC Media.
Palo Alto Networks additionally revealed its personal transient on the exploitation marketing campaign, which it dubbed “Operation MidnightEclipse.” The report notes that exploitation is presently restricted to 1 risk actor, however that “extra risk actors might try exploitation sooner or later.”
CVE-2024-3400 was additionally added to the U.S. Cybersecurity & Infrastructure Safety Company’s (CISA) Identified Exploited Vulnerability (KEV) catalog on Friday.
