Palo Alto Networks Outlines Remediation for Vital PAN-OS Flaw Below Assault

Apr 26, 2024NewsroomCommunity Safety / Zero Day

Palo Alto Networks has shared remediation steering for a just lately disclosed important safety flaw impacting PAN-OS that has come below lively exploitation.

The vulnerability, tracked as CVE-2024-3400 (CVSS rating: 10.0), may very well be weaponized to acquire unauthenticated distant shell command execution on inclined units. It has been addressed in a number of variations of PAN-OS 10.2.x, 11.0.x, and 11.1.x.

There may be proof to counsel that the difficulty has been exploited as a zero-day since at the very least March 26, 2024, by a risk cluster tracked as UTA0218.

The exercise, codenamed Operation MidnightEclipse, entails using the flaw to drop a Python-based backdoor known as UPSTYLE that is able to executing instructions transmitted through specifically crafted requests.

The intrusions haven’t been linked to a identified risk actor or group, but it surely’s suspected to be a state-backed hacking crew given the tradecraft and the victimology noticed.

The newest remediation recommendation supplied by Palo Alto Networks is predicated on the extent of compromise –

• Degree 0 Probe: Unsuccessful exploitation try – Replace to the most recent supplied hotfix

• Degree 1 Check: Proof of vulnerability being examined on the system, together with the creation of an empty file on the firewall however no execution of unauthorized instructions – Replace to the most recent supplied hotfix

• Degree 2 Potential Exfiltration: Indicators the place information like “running_config.xml” are copied to a location that’s accessible through internet requests – Replace to the most recent supplied hotfix and carry out a Non-public Knowledge Reset

• Degree 3 Interactive entry: Proof of interactive command execution, such because the introduction of backdoors and different malicious code – Replace to the most recent supplied hotfix and carry out a Manufacturing unit Reset

“Performing a private data reset eliminates risks of potential misuse of device data,” Palo Alto Networks stated. “A factory reset is recommended due to evidence of more invasive threat actor activity.”