Siemens Developing Solution for Device Impacted by Palo Alto Firewall Vulnerability

April 23, 2024

Siemens is actively working on a fix for a critical zero-day vulnerability in its Ruggedcom APE1808 devices, which are configured with Palo Alto Networks' (PAN) Virtual NGFW. The bug was recently disclosed by PAN in its next-generation firewall product. The command injection vulnerability, known as CVE-2024-3400, impacts multiple versions of PAN-OS firewalls when certain features are enabled. Attackers have been exploiting this flaw to install a new Python backdoor on the affected firewalls.

PAN released a patch for the flaw after it was discovered and reported by Volexity researchers earlier this month. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-3400 to its catalog of known exploited vulnerabilities following reports of multiple groups attacking the flaw. PAN has acknowledged an increasing number of attacks leveraging CVE-2024-3400 and has raised concerns about the public availability of proof-of-concept code for the flaw.

According to Siemens, its Ruggedcom APE1808 product, often used as edge devices in industrial control environments, is susceptible to this issue. All versions of the product with PAN Virtual NGFW configured with the GlobalProtect gateway or GlobalProtect portal, or both, are affected by the vulnerability.

Siemens has issued an advisory stating that it is developing updates for the bug. In the meantime, it has recommended specific countermeasures that customers should implement to reduce risk. These measures include using specific threat IDs released by PAN to block attacks targeting the vulnerability. Siemens' advisory also reiterated PAN's advice to disable the GlobalProtect gateway and GlobalProtect portal, noting that these features are already disabled by default in Ruggedcom APE1808 deployment environments.

Initially, PAN also suggested organizations disable device telemetry to protect against attacks targeting the flaw. However, this advice was later retracted due to its ineffectiveness. PAN noted, "Device telemetry does not need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability."

Siemens has advised customers to protect network access to devices in industrial control environments with suitable mechanisms. In its operational guidelines for Industrial Security, Siemens recommends setting up the environment in a particular way to operate the devices in a secure IT environment.

The Shadowserver Foundation has identified approximately 5,850 vulnerable instances of PAN's NGFW exposed and accessible over the Internet as of April 22. Of these, around 2,360 seem to be located in North America, while Asia accounts for the next highest number with roughly 1,800 exposed instances. The exact number of these exposed instances in industrial control system (ICS) and operational technology (OT) settings is unknown.

However, Internet exposure remains a significant issue in ICS and OT environments. A recent investigation by Forescout revealed nearly 110,000 Internet-facing ICS and OT systems worldwide, with the US accounting for 27% of the exposed instances. The report also highlighted a surge in the number of Internet-exposed ICS/OT equipment in other countries. Forescout attributed the exposure partly to systems integrators providing packaged bundles with components that inadvertently expose ICS and OT systems to the Internet.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.