Palo Alto Networks has started releasing hotfixes for a zero-day vulnerability that has been actively exploited since March 26th to backdoor PAN-OS firewalls.
This maximum severity security flaw (CVE-2024-3400) affects PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls with device telemetry and GlobalProtect (gateway or portal) enabled.
Unauthenticated threat actors can exploit it remotely to gain root code execution via command injection in low-complexity attacks that don't require user interaction.
"Palo Alto Networks is aware of a limited number of attacks that leverage the exploitation of this vulnerability," the company warned on Friday when it disclosed the zero-day.
The company has now fixed the security flaw in hotfix releases issued for PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, and PAN-OS 11.1.2-h3. More hotfixes will be rolled out for later PAN-OS versions in the coming days.
According to Palo Alto Networks' advisory, Cloud NGFW, Panorama appliances, and Prisma Access are not exposed to attacks via this vulnerability.
Admins still waiting for a hotfix can disable the device telemetry feature on vulnerable devices until a patch is deployed. Those with an active 'Threat Prevention' subscription can also block ongoing attacks by activating 'Threat ID 95187' threat prevention-based mitigation.
Exploited to backdoor firewalls since March
Palo Alto Networks' warning of active exploitation was confirmed by security firm Volexity, which discovered the zero-day flaw and detected threat actors using it to backdoor PAN-OS devices using Upstyle malware, breach networks, and steal data.
Volexity is tracking this malicious activity under UTA0218 and believes that state-sponsored threat actors are likely behind these ongoing attacks.
"At the time of writing, Volexity was unable to link the activity to other threat activity," Volexity said on Friday.
"Volexity assesses that it is highly likely UTA0218 is a state-backed threat actor based on the resources required to develop and exploit a vulnerability of this nature, the type of victims targeted by this actor, and the capabilities displayed to install the Python backdoor and further access victim networks."
Threat researcher Yutaka Sejiyama revealed on Friday that he found over 82,000 PAN-OS devices exposed online and vulnerable to CVE-2024-34000 attacks, 40% in the United States.
CISA has added CVE-2024-3400 to its Known Exploited Vulnerabilities (KEV) catalog, ordering federal agencies to secure their devices by applying the threat mitigation rule or disabling the telemetry within a week by April 19th.
Comments
SymondSaiz - 6 months ago
We received a later notice that it didn't matter if you turned off the Telemetry feature:
"Urgent: Product and Mitigation Guidance Updates for CVE-2024-3400
Palo Alto Networks has released urgent updates to product and mitigation guidance in the CVE-2024-3400 security advisory. Device telemetry *does not* need to be enabled on firewalls running an affected version of PAN-OS with GlobalProtect portal or GlobalProtect gateway enabled to be exposed to attacks related to this vulnerability.
Full details of the issue and the latest security advisory updates are available at https://security.paloaltonetworks.com/CVE-2024-3400. We strongly advise customers to immediately upgrade to a fixed version of PAN-OS to protect their devices even when workarounds and mitigations have been applied.
Palo Alto Networks is aware of an increasing number of attacks that leverage the exploitation of this vulnerability. Proof of concepts for this vulnerability have been publicly disclosed by third parties.
For indicators of compromise, please see the Unit 42 Threat Brief and Volexity blog post.
"