Palo Alto Networks has issued urgent hotfixes in response to a critical security vulnerability affecting its PAN-OS software that is currently being exploited in live environments. This vulnerability, identified as CVE-2024-3400, has received the highest severity rating with a CVSS score of 10.0. It involves a command injection flaw within the GlobalProtect feature, which, if exploited by an unauthenticated attacker, allows for the execution of arbitrary code at the root level on impacted firewalls.
The affected versions of PAN-OS include 10.2.9-h1, 11.0.4-h1, and 11.1.2-h3, all of which are integral to organizations utilizing GlobalProtect gateways or portals. Palo Alto Networks has stated that while Cloud NGFW firewalls are not directly impacted by this vulnerability, certain configurations of PAN-OS versions in cloud environments are susceptible based on their specific feature setups.
The threat actor behind this attack has yet to be definitively identified, but Palo Alto Networks’ Unit 42 is actively investigating the related malicious activities under the moniker Operation MidnightEclipse. This investigation has determined that exploitation of CVE-2024-3400 began as early as March 26, 2024, utilizing a Python-based backdoor known as UPSTYLE, which allows the attacker to execute arbitrary commands through tailored requests. The exact scale of these attacks remains uncertain; however, indications of reconnaissance-focused efforts suggest a broader search for additional vulnerable systems may be underway.
Apart from executing arbitrary commands, documented attacks attributed to this adversary cluster, UTA0218, have revealed strategies aimed at deploying reverse shells, exfiltrating firewalls’ configuration data, and employing tunneling tools like GOST, which could further facilitate unauthorized access. While no persistent backdoors or follow-up malware have been reported on compromised networks, the absence of such findings might stem from timely incident response measures.
In light of the ongoing risk, Palo Alto Networks has expanded its remediation efforts, releasing additional patches for older PAN-OS versions, including 10.2.8-h3, 10.2.7-h8, 10.2.6-h3, as well as updates for 11.0 and 11.1 series. Users are encouraged to utilize a specific command line interface (CLI) command to check for signs of compromise, which could indicate successful exploitation of the vulnerability if certain log patterns are observed.
Cybersecurity firm Rapid7 elaborated on the exploit mechanics, clarifying that the command injection vulnerability is rooted in the telemetry data transmission process, which necessitates a valid device certificate. This aspect implies that an attacker can only execute the command injection if they can successfully configure the payload with a legitimate certificate.
Given the critical nature of this vulnerability, company security teams should prioritize patching relevant PAN-OS versions and monitor their firewalls for signs of exploitation. The situation is a stark reminder of the evolving threat landscape and the necessity for continuous vigilance and updated defenses in safeguarding IT infrastructures. This incident underscores the importance of maintaining a proactive posture in cybersecurity, as adversaries increasingly leverage advanced techniques that can bypass traditional security measures.
