Update: Palo Alto Networks has updated its advisory on CVE-2024-3400 to warn that the previously recommended mitigation step of disabling telemetry on affected devices is not enough to protect devices from the vulnerability. The company now advises users to install the latest PAN-OS software update to fix the vulnerability and, for users with an active 'Threat Prevention' subscription, to enable 'Threat ID 95187' threat prevention-based mitigation.
Original Article: Palo Alto Networks has begun releasing updates to address a maximum-severity flaw, designated CVE-2024-3400, affecting the PAN-OS software used by its GlobalProtect gateways and portals.
Patches for PAN-OS versions 10.2.9-h1, 11.0.4-h1, and 11.1.2-h3 are currently available, while patches for all other affected versions are expected to be released on or before April 19, 2024.
Researchers believe that a highly capable state-sponsored actor dubbed UTA0218 has been able to leverage the vulnerability to backdoor affected devices since as early as March 26, almost two weeks before Palo Alto announced the vulnerability. The backdoor, which is installed via a Python script, enables UTA0218 to breach networks and steal data.
CVE-2024-3400 is a command injection vulnerability in specific PAN-OS software versions (< 11.1.2-h3, < 11.0.4-h1, < 10.2.9-h1) configured for both GlobalProtect gateway and device telemetry. Successful exploitation of the vulnerability could allow an unauthenticated threat actor to execute arbitrary code with root privileges on the appliance.
In light of the severity and active exploitation of the vulnerability, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-3400 to its Known Exploited Vulnerabilities (KEV) catalog and issued an order to federal agencies to secure their affected devices by April 19.
Source: The Hacker News
Analysis
Palo Alto originally provided scant details regarding how long, and to what extent, threat actors have been exploiting CVE-2024-3400. Since cybersecurity researchers revealed that CVE-2024-3400 has been exploited, for nearly two weeks, by a sophisticated state-sponsored cyber actor, users of affected Palo Alto devices should patch as soon as possible and check for signs of compromise.
At least one security researcher claims that over 82,000 vulnerable PAN-OS devices are deployed worldwide, 40% of which are located in the U.S.
Mitigation
Field Effect’s elite team of Security Intelligence professionals constantly monitor the cyber threat landscape for vulnerabilities discovered in firewalls including Palo Alto’s GlobalProtect. This research contributes to the timely deployment of signatures into Covalence to detect and mitigate the exploitation of these vulnerabilities.
Covalence users were automatically notified if any potentially vulnerable GlobalProtect gateways or portals were detected in their environment and are encouraged to review these AROs as quickly as possible via the Covalence portal.
Field Effect strongly encourages Palo Alto customers to update their PAN-OS software as soon as possible. Organizations running versions that don’t yet have an update available should:
- Enable Threat ID 95187 for those with Threat Prevention subscriptions.
- Disable the device telemetry feature on vulnerable devices until a patch is deployed.
Related Articles
