22,500 Palo Alto firewalls “possibly vulnerable” to ongoing attacks

22,500 Palo Alto firewalls

April 19, 2024 at 11:30AM

Around 22,500 Palo Alto GlobalProtect firewall devices are likely vulnerable to the critical CVE-2024-3400 flaw, which allows unauthenticated attackers to execute commands with root privileges. Palo Alto Networks released patches between April 14-18, 2024, addressing the vulnerability. Threat actors have actively exploited the flaw, with many unpatched systems remaining possibly vulnerable.

Based on the meeting notes, it is clear that approximately 22,500 Palo Alto GlobalProtect firewall devices are likely vulnerable to the critical CVE-2024-3400 flaw, a command injection vulnerability actively exploited by threat actors since at least March 26, 2024. This vulnerability allows unauthenticated attackers to execute commands with root privileges. Though Palo Alto Networks disclosed the flaw on April 12 and provided mitigations, it was later revealed that only applying security patches, not disabling telemetry, would provide effective protection.

Patches for impacted PAN-OS versions were made available between April 14 and 18, 2024, and the exposure to post-disclosure risks lasted two to six days. Notably, Volexity researchers disclosed that state-backed threat actors used the flaw to infect systems with a custom backdoor named ‘Upstyle,’ and the public availability of a proof-of-concept exploit led to a surge in attacks by various threat actors.

Despite urgency, approximately 22,500 instances remain “possibly vulnerable” as of April 18, 2024, with most located in the United States, followed by Japan, India, Germany, the UK, Canada, Australia, and France. Yet, it was reported by threat researcher Yutaka Sejiyama that roughly 73% of all exposed PAN-OS systems were patched within a week, based on his scans. Those who have not taken any action to secure their systems are advised to follow the suggested actions in the Palo Alto security advisory, which has been updated several times with new information and instructions on hunting for suspicious activity.

Overall, it is crucial for system administrators to promptly apply the security patches and closely monitor the situation to mitigate the risk posed by the CVE-2024-3400 vulnerability.

Full Article