UPDATE - Patches are now available for a critical-severity vulnerability in Palo Alto Network's PAN-OS software for firewalls. The flaw, first disclosed on Friday, is currently being exploited in the wild.
The vulnerability (CVE-2024-3400) ranks 10 out of 10 on the CVSS scale, and stems from a command injection issue in the GlobalProtect feature of PAN-OS. The flaw could enable unauthenticated attackers to execute arbitrary code with root privileges on the firewall. The flaw can lead to successful exploitation on specific OS versions - PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls - if the configurations for both GlobalProtect gateway and device telemetry are enabled.
“Fixes for PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 are in development and are expected to be released by April 14, 2024,” according to the advisory on Friday by Palo Alto Networks. “Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability. All other versions of PAN-OS are also not impacted.”
In its advisory, Palo Alto Networks said that users can verify if they have the GlobalProtect gateway and device telemetry configured by checking for entries in the firewall web interface.
The hotfix releases won’t be available until Sunday, but Palo Alto Networks has provided customers with several mitigations in the meantime, including temporarily disabling device telemetry until the device is upgraded to a fixed PAN-OS version.
Details of the Exploitation
Volexity researchers on Friday said that they discovered a threat actor leveraging the vulnerability, which they track as UTA0218.
The researchers first identified the zero-day exploitation of the flaw on April 10, after receiving alerts about suspicious network traffic from the firewall of one of its customers. However, researchers said that the earliest evidence of attempted exploitation tracks back to March 26.
"A subsequent investigation determined the device had been compromised," said Volexity researchers in a Friday analysis of the flaw. "The following day, April 11, 2024, Volexity observed further, identical exploitation at another one of its NSM customers by the same threat actor."
The attacker was able to remotely exploit the bug in order to create a reverse shell and download post-exploitation tools, including a novel python-based backdoor.
"The attacker focused on exporting configuration data from the devices, and then leveraging it as an entry point to move laterally within the victim organizations," according to Volexity's threat research team. "During its investigation, Volexity observed that UTA0218 attempted to install a custom Python backdoor, which Volexity calls UPSTYLE, on the firewall. The UPSTYLE backdoor allows the attacker to execute additional commands on the device via specially crafted network requests."
Impacted users are urged to apply mitigations and patches when available. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Friday also added the flaw to its known exploited vulnerabilities catalog, where it lists flaws that are “frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.” Federal agencies have a deadline of April 19 to patch the flaw.
This article was updated on April 16 to reflect that patches are now available for the flaw.