Palo Alto Networks has shared remediation steering for a just lately disclosed important safety flaw impacting PAN-OS that has come underneath energetic exploitation.
The vulnerability, tracked as CVE-2024-3400 (CVSS rating: 10.0), might be weaponized to acquire unauthenticated distant shell command execution on prone gadgets. It has been addressed in a number of variations of PAN-OS 10.2.x, 11.0.x, and 11.1.x.
There’s proof to recommend that the problem has been exploited as a zero-day since a minimum of March 26, 2024, by a risk cluster tracked as UTA0218.
The exercise, codenamed Operation MidnightEclipse, entails using the flaw to drop a Python-based backdoor referred to as UPSTYLE that is able to executing instructions transmitted by way of specifically crafted requests.
The intrusions haven’t been linked to a identified risk actor or group, but it surely’s suspected to be a state-backed hacking crew given the tradecraft and the victimology noticed.
The newest remediation recommendation supplied by Palo Alto Networks relies on the extent of compromise –
- Degree 0 Probe: Unsuccessful exploitation try – Replace to the newest offered hotfix
- Degree 1 Check: Proof of vulnerability being examined on the system, together with the creation of an empty file on the firewall however no execution of unauthorized instructions – Replace to the newest offered hotfix
- Degree 2 Potential Exfiltration: Indicators the place recordsdata like “running_config.xml” are copied to a location that’s accessible by way of internet requests – Replace to the newest offered hotfix and carry out a Non-public Information Reset
- Degree 3 Interactive entry: Proof of interactive command execution, such because the introduction of backdoors and different malicious code – Replace to the newest offered hotfix and carry out a Manufacturing facility Reset
“Performing a personal knowledge reset eliminates dangers of potential misuse of system knowledge,” Palo Alto Networks mentioned. “A manufacturing unit reset is really helpful as a result of proof of extra invasive risk actor exercise.”
