Palo Alto Networks has launched hotfixes to handle a maximum-severity safety flaw impacting PAN-OS software program that has come beneath lively exploitation within the wild.
Tracked as CVE-2024-3400 (CVSS rating: 10.0), the crucial vulnerability is a case of command injection within the GlobalProtect function that an unauthenticated attacker might weaponize to execute arbitrary code with root privileges on the firewall.
Fixes for the shortcoming can be found within the following variations –
- PAN-OS 10.2.9-h1
- PAN-OS 11.0.4-h1, and
- PAN-OS 11.1.2-h3
Patches for different generally deployed upkeep releases are anticipated to be launched over the subsequent few days.
“This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal (or both) and device telemetry enabled,” the corporate clarified in its up to date advisory.
It additionally stated that whereas Cloud NGFW firewalls are usually not impacted by CVE-2024-3400, particular PAN-OS variations and distinct function configurations of firewall VMs deployed and managed by prospects within the cloud are affected.
The precise origins of the menace actor exploiting the flaw are presently unknown however Palo Alto Networks Unit 42 is monitoring the malicious exercise beneath the identify Operation MidnightEclipse.
Volexity, which attributed it to a cluster dubbed UTA0218, stated CVE-2024-3400 has been leveraged since not less than March 26, 2024, to ship a Python-based backdoor referred to as UPSTYLE on the firewall that permits for the execution of arbitrary instructions by way of specifically crafted requests.
It’s unclear how widespread the exploitation has been, however the menace intelligence agency stated it has “evidence of potential reconnaissance activity involving more widespread exploitation aimed at identifying vulnerable systems.”
In assaults documented thus far, UTA0218 has been noticed deploying extra payloads to launch reverse shells, exfiltrate PAN-OS configuration knowledge, take away log information, and deploy the Golang tunneling software named GOST (GO Easy Tunnel).
No different follow-up malware or persistence strategies are stated to have been deployed on sufferer networks, though it is unknown if it is by design or resulting from early detection and response.
