Exploit launched for Palo Alto PAN-OS bug utilized in assaults, patch now

Exploit code is now out there for a most severity and actively exploited vulnerability in Palo Alto Networks’ PAN-OS firewall software program.

Tracked as CVE-2024-3400, this safety flaw can let unauthenticated menace actors execute arbitrary code as root through command injection in low-complexity assaults on susceptible PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls if the system telemetry and GlobalProtect (gateway or portal) function are enabled.

Whereas Palo Alto Networks has began releasing hotfixes on Monday to safe unpatched firewalls uncovered to assaults, the vulnerability has been exploited within the wild as a zero-day since March twenty sixth to backdoor firewalls utilizing Upstyle malware, pivot to inside networks, and steal information by a menace group believed to be state-sponsored and tracked as UTA0218..

Safety menace monitoring platform Shadowserver says it sees greater than 156,000 PAN-OS firewall situations on the Web day by day; nevertheless, it would not present data on what number of are susceptible.

On Friday, menace researcher Yutaka Sejiyama additionally discovered over 82,000 firewalls susceptible to CVE-2024-34000 assaults, 40% of which have been in america.

Internet-exposed PAN-OS firewalls
Web-exposed PAN-OS firewalls (Shadowserver)

​Exploit code now publicly out there

Someday after Palo Alto Networks began releasing CVE-2024-3400 hotfixes, watchTowr Labs additionally launched a detailed evaluation of the vulnerability and a proof-of-concept exploit that can be utilized to execute shell instructions on unpatched firewalls.

“As we can see, we inject our command injection payload into the SESSID cookie value – which, when a Palo Alto GlobalProtect appliance has telemetry enabled – is then concatenated into a string and ultimately executed as a shell command,” watchTowr Labs stated.

TrustedSec Chief Expertise Officer Justin Elze additionally shared an exploit seen in precise assaults, permitting attackers to obtain the firewall’s configuration file.

In response to the assaults, CISA added CVE-2024-3400 to its Recognized Exploited Vulnerabilities (KEV) catalog on Friday, ordering U.S. federal companies to safe their gadgets inside seven days by April nineteenth.

In the event you’re nonetheless ready for a hotfix, disable the system telemetry function on susceptible gadgets till a patch is on the market.

Moreover, if in case you have an energetic ‘Menace Prevention’ subscription, you’ll be able to block ongoing assaults by activating ‘Menace ID 95187’ menace prevention-based mitigation.

Recent articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here