VULNERA Pulse

Palo Alto Networks — PAN-OS

CVE-2024-3400 / Added: April 12, 2024

CRITICAL CVSS 10.00 EPSS Score 0.37 EPSS Percentile 72.34

Palo Alto Networks PAN-OS GlobalProtect feature contains a command injection vulnerability that allows an unauthenticated attacker to execute commands with root privileges on the firewall.

Headlines

• April 15, 2024 - Palo Alto Networks Zero-Day Flaw Exploited in Targeted Attacks
• April 15, 2024 - CISA adds Palo Alto Networks PAN-OS Command Injection flaw to its Known Exploited Vulnerabilities catalog
• April 15, 2024 - Palo Alto Networks fixes zero-day exploited to backdoor firewalls
• April 15, 2024 - Threat actors exploited Palo Alto Pan-OS issue to deploy a Python Backdoor
• April 15, 2024 - Palo Alto Networks Releases Urgent Fixes for Exploited PAN-OS Vulnerability
• April 14, 2024 - Week in review: Palo Alto Networks firewalls under attack, Microsoft patches two exploited zero-days
• April 13, 2024 - Palo Alto Networks zero-day exploited since March to backdoor firewalls
• April 13, 2024 - Hackers Deploy Python Backdoor in Palo Alto Zero-Day Attack
• April 12, 2024 - Palo Alto Networks to fix exploited GlobalProtect zero-day
• April 12, 2024 - State-Sponsored Hackers Exploit Zero-Day to Backdoor Palo Alto Networks Firewalls
• April 12, 2024 - CVE-2024-3400 exploited: Unit 42, Volexity share more details about the attacks
• April 12, 2024 - Palo Alto Networks warns of PAN-OS firewall zero-day used in attacks
• April 12, 2024 - Palo Alto Networks Releases Guidance for Vulnerability in PAN-OS, CVE-2024-3400 | CISA
• April 12, 2024 - Palo Alto Networks Warns About Critical Zero-Day in PAN-OS
• April 12, 2024 - Zero-Day Alert: Critical Palo Alto Networks PAN-OS Flaw Under Active Attack
• April 12, 2024 - Palo Alto Networks firewalls under attack, hotfixes incoming! (CVE-2024-3400)
• April 12, 2024 - CVE-2024-3400 (CVSS 10): Critical 0-Day Flaw in Palo Alto Networks Firewall Software Exploited in the Wild

Back to top ↑

D-Link — Multiple NAS Devices

CVE-2024-3272 / Added: April 11, 2024

CRITICAL CVSS 9.80 EPSS Score 0.18 EPSS Percentile 54.28

D-Link DNS-320L, DNS-325, DNS-327L, and DNS-340L contains a hard-coded credential that allows an attacker to conduct authenticated command injection, leading to remote, unauthorized code execution.

Headlines

• April 11, 2024 - CISA adds D-Link multiple NAS devices bugs to its Known Exploited Vulnerabilities catalog
• April 9, 2024 - Critical Flaws Leave 92,000 D-Link NAS Devices Vulnerable to Malware Attacks

Back to top ↑

D-Link — Multiple NAS Devices

CVE-2024-3273 / Added: April 11, 2024

HIGH CVSS 7.30 EPSS Score 0.47 EPSS Percentile 75.28

D-Link DNS-320L, DNS-325, DNS-327L, and DNS-340L contain a command injection vulnerability. When combined with CVE-2024-3272, this can lead to remote, unauthorized code execution.

Headlines

• April 14, 2024 - Week in review: Palo Alto Networks firewalls under attack, Microsoft patches two exploited zero-days
• April 11, 2024 - CISA adds D-Link multiple NAS devices bugs to its Known Exploited Vulnerabilities catalog
• April 9, 2024 - 92K D-Link NAS Devices Open to Critical Command-Injection Bug
• April 9, 2024 - Over 90,000 D-Link NAS Devices Are Under Attack
• April 9, 2024 - Exploitation Attempts Target Unpatched Flaw Affecting Many D-Link NAS Devices
• April 9, 2024 - Critical Flaws Leave 92,000 D-Link NAS Devices Vulnerable to Malware Attacks
• April 8, 2024 - Critical RCE bug in 92,000 D-Link NAS devices now exploited in attacks
• April 8, 2024 - 92,000+ internet-facing D-Link NAS devices accessible via "backdoor" account (CVE-2024-3273)
• April 7, 2024 - +92,000 Internet-facing D-Link NAS devices can be easily hacked
• April 6, 2024 - Over 92,000 exposed D-Link NAS devices have a backdoor account
• April 4, 2024 - CVE-2024-3273: D-Link NAS Vulnerability Threatens 92,000 Devices

Back to top ↑

CVE-2024-3400

CRITICAL CVSS 10.00 EPSS Score 0.37 EPSS Percentile 72.34

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: April 12, 2024

A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability.

Vendor Impacted: Palo Alto Networks

Product Impacted: Pan-Os

Quotes

• Palo Alto Networks is aware of a limited number of attacks that leverage the exploitation of this vulnerability
• Distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall
• The threat actor, which Volexity tracks under the alias UTA0218, was able to remotely exploit the firewall device, create a reverse shell, and download further tools onto the device
• A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall
• Palo Alto Networks is aware of malicious exploitation of this issue. We are tracking the initial exploitation of this vulnerability under the name Operation MidnightEclipse, as we assess with high confidence that known exploitation we’ve analyzed thus far is limited to a single threat actor
• We are tracking the initial exploitation of this vulnerability under the name Operation MidnightEclipse, as we assess with high confidence that known exploitation we’ve analyzed thus far is limited to a single threat actor. We also assess that additional threat actors may attempt exploitation in the future

Headlines

• April 12, 2024 - Palo Alto Networks to fix exploited GlobalProtect zero-day
• April 12, 2024 - State-Sponsored Hackers Exploit Zero-Day to Backdoor Palo Alto Networks Firewalls
• April 12, 2024 - CVE-2024-3400 exploited: Unit 42, Volexity share more details about the attacks
• April 12, 2024 - Palo Alto Networks warns of PAN-OS firewall zero-day used in attacks
• April 12, 2024 - Palo Alto Networks Releases Guidance for Vulnerability in PAN-OS, CVE-2024-3400 | CISA
• April 12, 2024 - Palo Alto Networks Warns About Critical Zero-Day in PAN-OS
• April 12, 2024 - Zero-Day Alert: Critical Palo Alto Networks PAN-OS Flaw Under Active Attack
• April 12, 2024 - Palo Alto Networks firewalls under attack, hotfixes incoming! (CVE-2024-3400)
• April 12, 2024 - CVE-2024-3400 (CVSS 10): Critical 0-Day Flaw in Palo Alto Networks Firewall Software Exploited in the Wild

CVE-2024-24576

CRITICAL CVSS 10.00 EPSS Score 0.04 EPSS Percentile 12.05

Remote Code Execution Public Exploits Available

Published: April 9, 2024

Rust is a programming language. The Rust Security Response WG was notified that the Rust standard library prior to version 1.77.2 did not properly escape arguments when invoking batch files (with the `bat` and `cmd` extensions) on Windows using the `Command`. An attacker able to control the arguments passed to the spawned process could execute arbitrary shell commands by bypassing the escaping. The severity of this vulnerability is critical for those who invoke batch files on Windows with untrusted arguments. No other platform or use is affected. The `Command::arg` and `Command::args` APIs state in their documentation that the arguments will be passed to the spawned process as-is, regardless of the content of the arguments, and will not be evaluated by a shell. This means it should be safe to pass untrusted input as an argument. On Windows, the implementation of this is more complex than other platforms, because the Windows API only provides a single string containing all the arguments to the spawned process, and it's up to the spawned process to split them. Most programs use the standard C run-time argv, which in practice results in a mostly consistent way arguments are splitted. One exception though is `cmd.exe` (used among other things to execute batch files), which has its own argument splitting logic. That forces the standard library to implement custom escaping for arguments passed to batch files. Unfortunately it was reported that our escaping logic was not thorough enough, and it was possible to pass malicious arguments that would result in arbitrary shell execution. Due to the complexity of `cmd.exe`, we didn't identify a solution that would correctly escape arguments in all cases. To maintain our API gua...
Please see the NVD entry for the full description.

Quotes

• Properly escape arguments when invoking batch files (with the `bat` and `cmd` extensions) on Windows using the `Command`
• An attacker able to control the arguments passed to the spawned process could execute arbitrary shell commands by bypassing the escaping
• The Rust standard library did not properly escape arguments when invoking batch files (with the bat and cmd extensions) on Windows using the Command API
• The Rust Security Response WG was notified that the Rust standard library did not properly escape arguments when invoking batch files (with the bat and cmd extensions) on Windows using the Command API
• Overall, Rust's memory safety is a notable advantage, but developers must also pay close attention to the potential for logical bugs to ensure the overall security and reliability of their Rust-based applications
• CreateProcess() implicitly spawns cmd.exe when executing batch files (.bat, .cmd, etc.), even if the application didn’t specify them in the command line. The problem is that the cmd.exe has complicated parsing rules for the command arguments, and programming language runtimes fail to escape the command arguments properly

Headlines

• April 11, 2024 - Critical Rust Flaw Poses Exploit Threat in Specific Windows Use Cases
• April 10, 2024 - Rust addresses critical vulnerability on Windows
• April 10, 2024 - Windows: New 'BatBadBut' Rust Vulnerability Given Highest CVSS Score
• April 10, 2024 - Rust runs into trouble on Windows
• April 10, 2024 - Critical 'BatBadBut' Rust Vulnerability Exposes Windows Systems to Attacks
• April 9, 2024 - Critical Rust flaw enables Windows command injection attacks
• April 9, 2024 - CVE-2024-24576 (CVSS 10): Rust Flaw Exposes Windows Systems to Command Injection Attacks

CVE-2024-29988

HIGH CVSS 8.80 EPSS Score 0.07 EPSS Percentile 27.52

Actively Exploited Remote Code Execution Public Exploits Available

Published: April 9, 2024

SmartScreen Prompt Security Feature Bypass Vulnerability

Quotes

• We have evidence this is being exploited in the wild, and I'm listing it as such
• The file’s metadata indicates that it is a ‘Catalog Authentication Client Service’ by
• This is the largest release from Microsoft this year and the largest since at least 2017
• Microsoft patched 147 CVEs in April, the largest number of CVEs patched in a month since we began tracking this data in 2017
• Threat actors are sending exploits in a zipped file to evade EDR/NDR detection and then using this bug (and others) to bypass MotW
• A marketing software ... [that] can connect hundreds of mobile phones and control them in batches, and automate tasks like batch following, liking, and commenting
• Microsoft fixed a SmartScreen Prompt security feature bypass vulnerability this month with CVE-2024-29988, which is credited to some of the same researchers that disclosed a similar flaw in February (CVE-2024-21412) that was exploited as a zero-day

Headlines

• April 11, 2024 - One of Microsoft’s biggest Windows 11 updates yet brought a massive number of security flaw fixes
• April 11, 2024 - Microsoft fixed two zero-day flaws exploited in malware attacks
• April 10, 2024 - Microsoft unleashes 157 bug fixes
• April 10, 2024 - Microsoft Patches Tuesday security updates for April 2024 fixed hundreds of issues
• April 10, 2024 - Microsoft Patches 150 Flaws Including Two Zero-Days
• April 10, 2024 - Microsoft Fixes 149 Flaws in Huge April Patch Release, Zero-Days Included
• April 10, 2024 - Microsoft security bypass bug said to be under exploit
• April 9, 2024 - Microsoft fixes two Windows zero-days exploited in malware attacks
• April 9, 2024 - Microsoft Patch Tuesday Tsunami: No Zero-Days, but an Asterisk
• April 9, 2024 - April’s Patch Tuesday Brings Record Number of Fixes –
• April 9, 2024 - CVE-2024-29988: 'In-the-Wild' Flaw Among Microsoft's April 2024 Patch Tuesday
• April 9, 2024 - Microsoft patches actively exploited security feature bypass vulnerability (CVE-2024-29988)
• April 9, 2024 - Critical Patches Issued for Microsoft Products, April 09, 2024

CVE-2024-29053

HIGH CVSS 8.80 EPSS Score 0.04 EPSS Percentile 8.02

Remote Code Execution

Published: April 9, 2024

Microsoft Defender for IoT Remote Code Execution Vulnerability

Quotes

• We have evidence this is being exploited in the wild, and I'm listing it as such
• The file’s metadata indicates that it is a ‘Catalog Authentication Client Service’ by

Headlines

• April 10, 2024 - Microsoft unleashes 157 bug fixes
• April 10, 2024 - Microsoft Patches Tuesday security updates for April 2024 fixed hundreds of issues
• April 10, 2024 - Microsoft Patches 150 Flaws Including Two Zero-Days
• April 10, 2024 - Microsoft security bypass bug said to be under exploit
• April 9, 2024 - April’s Patch Tuesday includes 150 vulnerabilities, 60 which could lead to remote code execution

CVE-2024-21323

HIGH CVSS 8.80 EPSS Score 0.04 EPSS Percentile 8.02

Remote Code Execution

Published: April 9, 2024

Microsoft Defender for IoT Remote Code Execution Vulnerability

Quotes

• We have evidence this is being exploited in the wild, and I'm listing it as such
• The file’s metadata indicates that it is a ‘Catalog Authentication Client Service’ by

Headlines

• April 10, 2024 - Microsoft unleashes 157 bug fixes
• April 10, 2024 - Microsoft Patches Tuesday security updates for April 2024 fixed hundreds of issues
• April 10, 2024 - Microsoft Patches 150 Flaws Including Two Zero-Days
• April 10, 2024 - Microsoft security bypass bug said to be under exploit
• April 9, 2024 - April’s Patch Tuesday includes 150 vulnerabilities, 60 which could lead to remote code execution

CVE-2024-21412

HIGH CVSS 8.10 EPSS Score 0.36 EPSS Percentile 72.00

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: Feb. 13, 2024

Internet Shortcut Files Security Feature Bypass Vulnerability

Vendor Impacted: Microsoft

Products Impacted: Windows Server 2022, Windows Server 2019, Windows 11 22h2, Windows, Windows Server 2022 23h2, Windows 11 21h2, Windows 10 22h2, Windows 10 1809, Windows 10 21h2, Windows 11 23h2

Quotes

• This is the largest release from Microsoft this year and the largest since at least 2017
• Microsoft patched 147 CVEs in April, the largest number of CVEs patched in a month since we began tracking this data in 2017
• Threat actors are sending exploits in a zipped file to evade EDR/NDR detection and then using this bug (and others) to bypass MotW
• A marketing software ... [that] can connect hundreds of mobile phones and control them in batches, and automate tasks like batch following, liking, and commenting
• Microsoft fixed a SmartScreen Prompt security feature bypass vulnerability this month with CVE-2024-29988, which is credited to some of the same researchers that disclosed a similar flaw in February (CVE-2024-21412) that was exploited as a zero-day

Headlines

• April 10, 2024 - Microsoft Patches 150 Flaws Including Two Zero-Days
• April 10, 2024 - Microsoft Fixes 149 Flaws in Huge April Patch Release, Zero-Days Included
• April 9, 2024 - Microsoft fixes two Windows zero-days exploited in malware attacks
• April 9, 2024 - Microsoft Patch Tuesday Tsunami: No Zero-Days, but an Asterisk
• April 9, 2024 - April’s Patch Tuesday Brings Record Number of Fixes –
• April 9, 2024 - Microsoft patches actively exploited security feature bypass vulnerability (CVE-2024-29988)

CVE-2024-3273

HIGH CVSS 7.30 EPSS Score 0.47 EPSS Percentile 75.28

CISA Known Exploited Actively Exploited Remote Code Execution Public Exploits Available

Published: April 4, 2024

** UNSUPPORTED WHEN ASSIGNED ** A vulnerability, which was classified as critical, was found in D-Link DNS-320L, DNS-325, DNS-327L and DNS-340L up to 20240403. Affected is an unknown function of the file /cgi-bin/nas_sharing.cgi of the component HTTP GET Request Handler. The manipulation of the argument system leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-259284. NOTE: This vulnerability only affects products that are no longer supported by the maintainer. NOTE: Vendor was contacted early and confirmed immediately that the product is end-of-life. It should be retired and replaced.

Vendor Impacted: D-Link

Product Impacted: Multiple Nas Devices

Quotes

• We have started to see scans/exploits from multiple IPs for CVE-2024-3273
• The described vulnerability affects multiple D-Link NAS devices, including models DNS-340L, DNS-320L, DNS-327L, and DNS-325, among others
• The vulnerability lies within the nas_sharing.cgi uri, which is vulnerable due to two main issues: a backdoor facilitated by hardcoded credentials, and a command injection vulnerability via the system parameter
• Successful exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the system, potentially leading to unauthorized access to sensitive information, modification of system configurations, or denial of service conditions

Headlines

• April 11, 2024 - CISA adds D-Link multiple NAS devices bugs to its Known Exploited Vulnerabilities catalog
• April 9, 2024 - 92K D-Link NAS Devices Open to Critical Command-Injection Bug
• April 9, 2024 - Over 90,000 D-Link NAS Devices Are Under Attack
• April 9, 2024 - Exploitation Attempts Target Unpatched Flaw Affecting Many D-Link NAS Devices
• April 9, 2024 - Critical Flaws Leave 92,000 D-Link NAS Devices Vulnerable to Malware Attacks
• April 8, 2024 - Critical RCE bug in 92,000 D-Link NAS devices now exploited in attacks
• April 8, 2024 - 92,000+ internet-facing D-Link NAS devices accessible via "backdoor" account (CVE-2024-3273)
• April 7, 2024 - +92,000 Internet-facing D-Link NAS devices can be easily hacked
• April 6, 2024 - Over 92,000 exposed D-Link NAS devices have a backdoor account

CVE-2024-21322

HIGH CVSS 7.20 EPSS Score 0.04 EPSS Percentile 8.02

Remote Code Execution

Published: April 9, 2024

Microsoft Defender for IoT Remote Code Execution Vulnerability

Quotes

• We have evidence this is being exploited in the wild, and I'm listing it as such
• The file’s metadata indicates that it is a ‘Catalog Authentication Client Service’ by

Headlines

• April 10, 2024 - Microsoft unleashes 157 bug fixes
• April 10, 2024 - Microsoft Patches Tuesday security updates for April 2024 fixed hundreds of issues
• April 10, 2024 - Microsoft Patches 150 Flaws Including Two Zero-Days
• April 10, 2024 - Microsoft security bypass bug said to be under exploit
• April 9, 2024 - April’s Patch Tuesday includes 150 vulnerabilities, 60 which could lead to remote code execution

CVE-2024-26234

MEDIUM CVSS 6.70 EPSS Score 0.04 EPSS Percentile 8.02

Actively Exploited Remote Code Execution

Published: April 9, 2024

Proxy Driver Spoofing Vulnerability

Quotes

• We have evidence this is being exploited in the wild, and I'm listing it as such
• The file’s metadata indicates that it is a ‘Catalog Authentication Client Service’ by
• A marketing software…[that] can connect hundreds of mobile phones and control them in batches, and automate tasks like batch following, liking, and commenting
• A marketing software ... [that] can connect hundreds of mobile phones and control them in batches, and automate tasks like batch following, liking, and commenting
• Just as we did in 2022, we immediately reported our findings to the Microsoft Security Response Center. After validating our discovery, the team at Microsoft has added the relevant files to its revocation list (updated today as part of the usual Patch Tuesday cycle; see CVE-2024-26234)

Headlines

• April 11, 2024 - One of Microsoft’s biggest Windows 11 updates yet brought a massive number of security flaw fixes
• April 11, 2024 - Microsoft fixed two zero-day flaws exploited in malware attacks
• April 10, 2024 - Microsoft unleashes 157 bug fixes
• April 10, 2024 - Microsoft Patches Tuesday security updates for April 2024 fixed hundreds of issues
• April 10, 2024 - Microsoft Patches 150 Flaws Including Two Zero-Days
• April 10, 2024 - A tumultuous, titanic Patch Tuesday as Microsoft makes some changes
• April 10, 2024 - Microsoft Fixes 149 Flaws in Huge April Patch Release, Zero-Days Included
• April 10, 2024 - CVE-2024-26234: Windows 0-day flaw exploited in malware attacks
• April 10, 2024 - Microsoft security bypass bug said to be under exploit
• April 9, 2024 - Microsoft fixes two Windows zero-days exploited in malware attacks
• April 9, 2024 - Smoke and (screen) mirrors: A strange signed backdoor