Palo Alto Networks releases emergency fix for exploited PAN-OS vulnerability

ReportApril 15, 2024Editorial DepartmentFirewall Security/Vulnerabilities

Palo Alto Networks has released patches to address the most serious security flaws affecting PAN-OS software, which has been actively exploited in the wild.

This vulnerability, tracked as CVE-2024-3400 (CVSS score: 10.0), is a command injection condition in the GlobalProtect function, which allows an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.

The following releases provide a fix for this flaw –

• Pan operating system 10.2.9-h1
• Pan-OS 11.0.4-h1, and
• Pan operating system 11.1.2-h3

Patches for other common maintenance releases are expected to be released in the coming days.

“This issue only applies to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with either the GlobalProtect Gateway or the GlobalProtect Portal (or both) and device telemetry enabled,” the company clarified in an updated advisory.

It also stated that while cloud NGFW firewalls are not affected by CVE-2024-3400, specific PAN-OS versions and unique feature configurations of firewall virtual machines deployed and managed by customers in the cloud are.

The exact origin of the threat actor exploiting the vulnerability is unclear, but Palo Alto Networks Unit 42 is tracking a malicious campaign dubbed “Operation MidnightEclipse.”

Attributing it to a cluster called UTA0218, Volexity said CVE-2024-3400 has been exploited since at least March 26, 2024, to deliver a Python-based backdoor called UPSTYLE on the firewall that Allows crafted requests to execute arbitrary commands in special ways.

It’s unclear how widespread this exploit is, but the threat intelligence firm said “there is evidence of potential reconnaissance activity involving a broader exploit aimed at identifying vulnerable systems.”

In attacks documented so far, we observed UTA0218 deploying additional payloads to launch reverse shells, steal PAN-OS configuration data, delete log files, and deploy a Golang tunneling tool called GOST (GO Simple Tunnel).

No other follow-up malware or persistence methods were allegedly deployed on the victim’s network, but it is unclear whether this was intentional or due to early detection and response.