Palo Alto Networks has launched hotfixes to handle a maximum-severity safety flaw impacting PAN-OS software program that has come beneath energetic exploitation within the wild.
Tracked as CVE-2024-3400 (CVSS rating: 10.0), the essential vulnerability is a case of command injection within the GlobalProtect function that an unauthenticated attacker might weaponize to execute arbitrary code with root privileges on the firewall.
Fixes for the shortcoming can be found within the following variations –
- PAN-OS 10.2.9-h1
- PAN-OS 11.0.4-h1, and
- PAN-OS 11.1.2-h3
Patches for different generally deployed upkeep releases are anticipated to be launched over the following few days.
“This subject is relevant solely to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal (or each) and system telemetry enabled,” the corporate clarified in its up to date advisory.
It additionally stated that whereas Cloud NGFW firewalls usually are not impacted by CVE-2024-3400, particular PAN-OS variations and distinct function configurations of firewall VMs deployed and managed by prospects within the cloud are affected.
The precise origins of the menace actor exploiting the flaw are presently unknown however Palo Alto Networks Unit 42 is monitoring the malicious exercise beneath the title Operation MidnightEclipse.
Volexity, which attributed it to a cluster dubbed UTA0218, stated CVE-2024-3400 has been leveraged since at the least March 26, 2024, to ship a Python-based backdoor known as UPSTYLE on the firewall that enables for the execution of arbitrary instructions through specifically crafted requests.
It’s unclear how widespread the exploitation has been, however the menace intelligence agency stated it has “proof of potential reconnaissance exercise involving extra widespread exploitation geared toward figuring out susceptible programs.”
In assaults documented to this point, UTA0218 has been noticed deploying extra payloads to launch reverse shells, exfiltrate PAN-OS configuration information, take away log information, and deploy the Golang tunneling instrument named GOST (GO Easy Tunnel).
No different follow-up malware or persistence strategies are stated to have been deployed on sufferer networks, though it is unknown if it is by design or on account of early detection and response.
