Palo Alto Networks has launched hotfixes to handle a maximum-severity safety flaw impacting PAN-OS software program that has come beneath lively exploitation within the wild.
Tracked as CVE-2024-3400 (CVSS rating: 10.0), the important vulnerability is a case of command injection within the GlobalProtect function that an unauthenticated attacker might weaponize to execute arbitrary code with root privileges on the firewall.
Fixes for the shortcoming can be found within the following variations –
- PAN-OS 10.2.9-h1
- PAN-OS 11.0.4-h1, and
- PAN-OS 11.1.2-h3
Patches for different generally deployed upkeep releases are anticipated to be launched over the subsequent few days.
“This challenge is relevant solely to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal (or each) and gadget telemetry enabled,” the corporate clarified in its up to date advisory.
It additionally stated that whereas Cloud NGFW firewalls will not be impacted by CVE-2024-3400, particular PAN-OS variations and distinct function configurations of firewall VMs deployed and managed by prospects within the cloud are affected.
The precise origins of the risk actor exploiting the flaw are presently unknown however Palo Alto Networks Unit 42 is monitoring the malicious exercise beneath the title Operation MidnightEclipse.
Volexity, which attributed it to a cluster dubbed UTA0218, stated CVE-2024-3400 has been leveraged since a minimum of March 26, 2024, to ship a Python-based backdoor referred to as UPSTYLE on the firewall that permits for the execution of arbitrary instructions by way of specifically crafted requests.
It’s unclear how widespread the exploitation has been, however the risk intelligence agency stated it has “proof of potential reconnaissance exercise involving extra widespread exploitation geared toward figuring out susceptible programs.”
In assaults documented so far, UTA0218 has been noticed deploying extra payloads to launch reverse shells, exfiltrate PAN-OS configuration information, take away log information, and deploy the Golang tunneling device named GOST (GO Easy Tunnel).
No different follow-up malware or persistence strategies are stated to have been deployed on sufferer networks, though it is unknown if it is by design or attributable to early detection and response.
