Palo Alto Networks has shared remediation steering for a lately disclosed essential security flaw impacting PAN-OS that has come below energetic exploitation.
The vulnerability, tracked as CVE-2024-3400 (CVSS rating: 10.0), could possibly be weaponized to acquire unauthenticated distant shell command execution on vulnerable units. It has been addressed in a number of variations of PAN-OS 10.2.x, 11.0.x, and 11.1.x.
There’s proof to counsel that the problem has been exploited as a zero-day since a minimum of March 26, 2024, by a risk cluster tracked as UTA0218.
The exercise, codenamed Operation MidnightEclipse, entails the usage of the flaw to drop a Python-based backdoor known as UPSTYLE that is able to executing instructions transmitted by way of specifically crafted requests.
The intrusions haven’t been linked to a identified risk actor or group, but it surely’s suspected to be a state-backed hacking crew given the tradecraft and the victimology noticed.
The newest remediation recommendation supplied by Palo Alto Networks relies on the extent of compromise –
- Stage 0 Probe: Unsuccessful exploitation try – Replace to the newest supplied hotfix
- Stage 1 Check: Proof of vulnerability being examined on the gadget, together with the creation of an empty file on the firewall however no execution of unauthorized instructions – Replace to the newest supplied hotfix
- Stage 2 Potential Exfiltration: Indicators the place information like “running_config.xml” are copied to a location that’s accessible by way of internet requests – Replace to the newest supplied hotfix and carry out a Non-public Data Reset
- Stage 3 Interactive entry: Proof of interactive command execution, such because the introduction of backdoors and different malicious code – Replace to the newest supplied hotfix and carry out a Manufacturing unit Reset
“Performing a non-public information reset eliminates dangers of potential misuse of gadget information,” Palo Alto Networks stated. “A manufacturing unit reset is advisable as a result of proof of extra invasive risk actor exercise.”
