April 15, 2024 at 04:21AM
Palo Alto Networks has released hotfixes to address a critical security flaw (CVE-2024-3400) in PAN-OS software that is actively exploited. The flaw allows unauthenticated attackers to execute arbitrary code with root privileges on firewalls. This impacts specific PAN-OS versions and cloud-deployed firewall VMs. Threat actors have been leveraging the flaw, but the exact origins are unknown. Volexity attributes the exploitation to a cluster called UTA0218, and evidence indicates potential widespread exploitation.
Key takeaways from the meeting notes are as follows:
– Palo Alto Networks has released hotfixes for a critical security flaw impacting PAN-OS software, tracked as CVE-2024-3400, with a maximum-severity score of 10.0.
– The vulnerability is a case of command injection in the GlobalProtect feature, allowing unauthenticated attackers to execute arbitrary code with root privileges on the firewall.
– Fixes are available for PAN-OS 10.2.9-h1, 11.0.4-h1, and 11.1.2-h3, with patches for other maintenance releases expected to be released soon.
– The exploit is applicable to specific PAN-OS versions and feature configurations of firewall VMs in the cloud, but Cloud NGFW firewalls are not impacted.
– Threat actors, tracked as Operation MidnightEclipse by Palo Alto Networks Unit 42 and UTA0218 by Volexity, have been leveraging CVE-2024-3400 to deliver a Python-based backdoor named UPSTYLE, and have been observed deploying additional payloads in attacks.
– While the full extent of exploitation is unclear, evidence suggests reconnaissance activity aimed at identifying vulnerable systems has taken place.
– There have been no reports of follow-up malware or persistence methods deployed on victim networks, though it is uncertain whether this is by design or due to early detection and response.
Feel free to reach out with any further questions or if additional information is needed.