Thousands of Firewalls at Risk: PAN-OS Exploit Hits

Palo Alto Networks has disclosed details of a critical vulnerability in the PAN-OS that has been actively exploited. The vulnerability designated CVE-2024-3400 with a CVSS score of 10.0, arises from a combination of two errors in PAN-OS versions 10.2, 11.0, and 11.1. The first error stems from inadequate validation of session identifier formats by the GlobalProtect service before saving them, allowing an attacker to save files with arbitrary names. The second flaw involves the system mistakenly trusting these files, using their names as part of system commands. Together, these vulnerabilities enable the execution of commands as the system without authentication.

Palo Alto Networks has tracked attacks exploiting this vulnerability under the codename “MidnightEclipse,” noting that they originate from a threat actor designated UTA0218, whose origins remain unidentified.

The attack unfolds in two stages: initially, the hacker sends specially crafted requests containing a command, and subsequently, a scheduled system task uses this file name to execute the command.

Experts from Unit 42 and Volexity highlighted that the initial exploitation mechanism involved setting up a cron job to download and execute malicious code using the GOST tool.

Volexity researchers noted that attackers used Palo Alto firewalls to create a reverse shell, download additional tools, penetrate internal networks, and steal data.

Following the discovery of the vulnerability, Palo Alto Networks released updates for all affected versions of the operating system to prevent further attacks. It has also been confirmed that the presence of telemetry on the device does not impact the exploitability of the vulnerability.

The Cybersecurity and Infrastructure Security Agency (CISA) has added the vulnerability to its catalog of known exploited vulnerabilities (KEV) and has urged federal agencies to secure their devices by April 19, 2024.

Furthermore, specialists from watchTowr Labs analyzed the vulnerability and presented a proof of concept demonstrating how command injection can be used to manipulate devices not protected by the latest updates. Additionally, it was revealed that the vulnerability had already been actively exploited in March to install backdoors in firewalls using the malicious software Upstyle, allowing attackers to access internal networks and steal data.

According to the Shadowserver Foundation, approximately 22,542 internet-accessible protective devices are potentially susceptible to attacks, predominantly in the United States, Japan, India, Germany, the United Kingdom, Canada, Australia, France, and China.

Experts strongly recommend that users immediately apply the issued patches to protect against potential threats.