Zero Day Exploited by Threat Actors in PAN-OS

Summary

A vulnerability is present in PAN-OS 10.2, 11.0, and 11.1 firewalls configured with GlobalProtect gateway or portal with device telemetry enabled. This critical weakness identified as  CVE-2024-3400 (CVSS 3.0: 10) is a command injection vulnerability which may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Palo Alto Networks is aware of a limited number of attacks that leverage the exploitation of this vulnerability. Threat actors utilized a backdoor after exploitation to perform data exfiltration and lateral movement throughout the network.

Impact Assessment

This vulnerability only affects a select few PAN-OS versions and they need to be configured with GlobalProtect gateway, GlobalProtect Portal, or both while device telemetry is enabled.

Affected Software:

• PAN-OS 11.1  < 11.1.2-h3
• PAN-OS 11.0  < 11.0.4-h1    
• PAN-OS 10.2  < 10.2.9-h1        

If this vulnerability is exploited it has the potential to be of significant impact because threat actors utilizing the vulnerability can move laterally through a target network to exfiltrate sensitive data using a backdoor.

What It Means for You

It is essential to verify if your organization utilizes Palo Alto Firewalls and, if they do, to verify the configuration by checking the OS version and whether CloudProtect gateway or portal is enabled with device telemetry. If you are on a vulnerable version, the next step is to remediate.

Remediation

The vulnerability is and will be fixed in hotfix releases of PAN-OS:
‍

PAN-OS 10.2:

• 10.2.9-h1 (Released 4/14/24)
• 10.2.8-h3 (ETA: 4/15/24)
• 10.2.7-h8 (ETA: 4/15/24)
• 10.2.6-h3 (ETA: 4/15/24)
• 10.2.5-h6 (ETA: 4/16/24)
• 10.2.3-h13 (ETA: 4/17/24)
• 10.2.1-h2 (ETA: 4/17/24)
• 10.2.2-h5 (ETA: 4/18/24)
• 10.2.0-h3 (ETA: 4/18/24)
• 10.2.4-h16 (ETA: 4/19/24)
  ‍

PAN-OS 11.0:

• 11.0.4-h1 (Released 4/14/24)
• 11.0.3-h10 (ETA: 4/15/24)
• 11.0.2-h4 (ETA: 4/16/24)
• 11.0.1-h4 (ETA: 4/17/24)
• 11.0.0-h3 (ETA: 4/18/24)
  ‍

PAN-OS 11.1:‍

• 11.1.2-h3 (Released 4/14/24)t
• 11.1.2-h3 (Released 4/14/24)
• 11.1.1-h1 (ETA: 4/16/24)
• 11.1.0-h3 (ETA: 4/17/24)
  ‍

Mitigations

If using the Threat Prevention subscription Palo Alto describes that Threat ID 95187 will prevent exploitation of this issue.

If you are unable to apply Threat Prevention temporarily disabling device telemetry will prevent exploitation until the device is upgraded to a fixed version. Once upgraded it is recommended to re-reenable device telemetry.

Threat hunters can also utilize XQL queries described in Unit 42’s synopsis of the issue.

Business Implications

Exploitation of this vulnerability can be extremely determinantal to any business or organization. There have been targeted attacks utilizing this vulnerability which have opened up backdoors in organizational networks allowing for data exfiltration and lateral movement. If used on any business monetary and data loss are to be expected.

Access Point Consulting Recommends

Patch: We recommend patching any applicable devices utilizing PAN-OS as soon as possible. This should be a number one priority as there is evidence of zero-day exploitation.

Mitigate: Mitigating the threat by disabling device telemetry will buy time and keep the network secure while upgrades are underway.

Utilize threat hunters: Unit 42 has described multiple XQL queries to search for signs of exploitation. This should be done if you or your organization is or was on a vulnerable version. The queries are described here: https://unit42.paloaltonetworks.com/cve-2024-3400/

Associated Bulletins

https://nvd.nist.gov/vuln/detail/CVE-2024-3400

https://security.paloaltonetworks.com/CVE-2024-3400

https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/

‍