Palo Alto Networks has disclosed a significant security vulnerability affecting PAN-OS that is currently under active exploitation by cybercriminals. This flaw, designated as CVE-2024-3400 with a CVSS score of 10.0, is characterized as “intricate,” arising from the combination of two distinct bugs present in PAN-OS versions 10.2, 11.0, and 11.1.
The first issue pertains to the GlobalProtect service’s failure to adequately validate session ID formats before storage. This oversight allows attackers to create a blank file using a filename of their choosing. Chandan B. N., senior director of product security at Palo Alto Networks, stated, “The second bug assumes that the filenames are generated by the system and exploits that trust within command execution.” While each issue may not be critical when considered separately, their combination poses a severe risk, potentially leading to unauthenticated remote command execution.
The cyber threat group identified as UTA0218 is behind the zero-day exploitation of this vulnerability, orchestrating a two-phase attack strategy to execute commands on vulnerable devices. This malicious operation has been labeled Operation MidnightEclipse.
As revealed by security firm Volexity and Palo Alto’s Unit 42 division, the attack involves sending specifically crafted requests that include the command for execution, utilizing a backdoor named UPSTYLE. The initial phase incorporated setting up a cron job that uses wget to fetch a malicious payload from an attacker-controlled location, redirecting its output to be executed by bash.
This methodology has proven effective for deploying various commands, including downloads of reverse proxy tools like GOST. However, Unit 42 has yet to decipher the exact commands being executed, which can be inferred from the cron job setup. Chandan elaborated on the attack’s mechanics, indicating that in the first stage, an attacker submits a crafted shell command masquerading as a session ID, hence creating a file on the system that embeds the attacker’s command as the filename. The second stage exploits a scheduled job that later misuses this filename, resulting in the unauthorized command execution with elevated privileges.
Palo Alto Networks initially indicated that successful exploitation of CVE-2024-3400 depended on specific firewall configurations being enabled, including device telemetry. However, the company has now indicated that telemetry settings do not influence this vulnerability’s exploitation. Recent research from Bishop Fox has also discovered methods to exploit this vulnerability without requiring telemetry to be enabled on devices.
In light of the urgent implications of CVE-2024-3400 and the emergence of proof-of-concept exploit code, users are advised to implement the necessary hotfixes promptly to defend against potential intrusions. The United States Cybersecurity and Infrastructure Security Agency (CISA) has categorized this vulnerability in its Known Exploited Vulnerabilities catalog, mandating that federal agencies fortify their defenses by April 19, 2024.
The Shadowserver Foundation reported that an estimated 22,542 internet-exposed firewall devices are potentially vulnerable to this flaw. The majority of these devices are located in key regions, including the U.S., Japan, India, Germany, the U.K., Canada, Australia, France, and China, as of mid-April 2024. Given these technical specifics and potential attack vectors, business leaders must remain vigilant and proactive in addressing vulnerabilities within their systems to guard against increasingly sophisticated cyber threats.
