Exploit Code Released for Critical PAN-OS Vulnerability, Immediate Patching Urged
April 16, 2024
An exploit code for a high-risk vulnerability in Palo Alto Networks' PAN-OS firewall software is now available. The vulnerability, known as CVE-2024-3400, allows threat actors without authentication to execute arbitrary code as root through command injection. This vulnerability particularly affects PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls if the device telemetry and GlobalProtect (gateway or portal) feature are enabled.
Palo Alto Networks has begun rolling out hotfixes to secure firewalls that are exposed to attacks. However, this vulnerability has been exploited in the wild since March 26th to backdoor firewalls using Upstyle malware, pivot to internal networks, and steal data. The group believed to be behind these attacks is thought to be state-sponsored and is tracked as UTA0218.
Shadowserver, a security threat monitoring platform, reports seeing more than 156,000 PAN-OS firewall instances on the Internet daily, although it doesn't specify how many of these are vulnerable. Yutaka Sejiyama, a threat researcher, found over 82,000 firewalls vulnerable to CVE-2024-34000 attacks on Friday, 40% of which were located in the United States.
WatchTowr Labs released a detailed analysis of the vulnerability and a proof-of-concept exploit that can execute shell commands on unpatched firewalls, a day after Palo Alto Networks began releasing hotfixes for CVE-2024-3400. 'As we can see, we inject our command injection payload into the SESSID cookie value - which, when a Palo Alto GlobalProtect appliance has telemetry enabled - is then concatenated into a string and ultimately executed as a shell command,' WatchTowr Labs stated. Justin Elze, TrustedSec's Chief Technology Officer, also shared an exploit seen in real attacks, which allows attackers to download the firewall's configuration file.
In response to these attacks, the Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-3400 to its Known Exploited Vulnerabilities (KEV) catalog on Friday, instructing U.S. federal agencies to secure their devices within seven days, by April 19th. As a temporary measure, it is advised to disable the device telemetry feature on vulnerable devices until a patch is available. Furthermore, for those with an active 'Threat Prevention' subscription, activating 'Threat ID 95187' can block ongoing attacks.
Related News
- CISA Adds Critical Palo Alto Networks PAN-OS Flaw to Known Exploited Vulnerabilities Catalog
- Palo Alto Networks Addresses Actively Exploited Zero-Day Vulnerability in PAN-OS Firewalls
- State-Sponsored Hackers Exploit Palo Alto Networks Zero-Day Since March to Infiltrate Firewalls
- Palo Alto Networks Alert: Active Exploitation of Zero-Day Vulnerability in PAN-OS Firewall
Latest News
- TA558 Cybercriminals Exploit Images for Broad Malware Attacks
- CLI Tools from AWS, Google, and Azure Could Unintentionally Expose Credentials
- CISA Adds Critical Palo Alto Networks PAN-OS Flaw to Known Exploited Vulnerabilities Catalog
- Palo Alto Networks Addresses Actively Exploited Zero-Day Vulnerability in PAN-OS Firewalls
- BatBadBut Flaw: A Threat to Multiple Programming Languages on Windows
Like what you see?
Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.