Palo Alto Networks has launched hotfixes to deal with a maximum-severity security flaw impacting PAN-OS software program that has come underneath energetic exploitation within the wild.
Tracked as CVE-2024-3400 (CVSS rating: 10.0), the vital vulnerability is a case of command injection within the GlobalProtect characteristic that an unauthenticated attacker may weaponize to execute arbitrary code with root privileges on the firewall.
Fixes for the shortcoming can be found within the following variations –
- PAN-OS 10.2.9-h1
- PAN-OS 11.0.4-h1, and
- PAN-OS 11.1.2-h3
Patches for different generally deployed upkeep releases are anticipated to be launched over the subsequent few days.
“This situation is relevant solely to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal (or each) and machine telemetry enabled,” the corporate clarified in its up to date advisory.
It additionally mentioned that whereas Cloud NGFW firewalls aren’t impacted by CVE-2024-3400, particular PAN-OS variations and distinct characteristic configurations of firewall VMs deployed and managed by prospects within the cloud are affected.
The precise origins of the menace actor exploiting the flaw are presently unknown however Palo Alto Networks Unit 42 is monitoring the malicious exercise underneath the title Operation MidnightEclipse.
Volexity, which attributed it to a cluster dubbed UTA0218, mentioned CVE-2024-3400 has been leveraged since at the least March 26, 2024, to ship a Python-based backdoor known as UPSTYLE on the firewall that enables for the execution of arbitrary instructions by way of specifically crafted requests.
It’s unclear how widespread the exploitation has been, however the menace intelligence agency mentioned it has “proof of potential reconnaissance exercise involving extra widespread exploitation geared toward figuring out weak methods.”
In assaults documented thus far, UTA0218 has been noticed deploying further payloads to launch reverse shells, exfiltrate PAN-OS configuration knowledge, take away log recordsdata, and deploy the Golang tunneling software named GOST (GO Easy Tunnel).
No different follow-up malware or persistence strategies are mentioned to have been deployed on sufferer networks, though it is unknown if it is by design or resulting from early detection and response.
