April 16, 2024 at 02:38PM
A critical vulnerability, tracked as CVE-2024-3400, has been actively exploited in Palo Alto Networks’ PAN-OS firewall software. Threat actors can execute arbitrary code as root via command injection, impacting PAN-OS 10.2, 11.0, and 11.1. Palo Alto Networks is releasing hotfixes, urging users to disable certain features and providing threat prevention measures. CISA has issued an alert to secure vulnerable devices.
Key takeaways from the meeting notes:
1. Palo Alto Networks’ PAN-OS firewall software has a severe vulnerability, tracked as CVE-2024-3400, which is actively exploited by threat actors to execute arbitrary code as root.
2. The vulnerability affects PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls with enabled device telemetry and GlobalProtect (gateway or portal) features.
3. Hotfixes have been released by Palo Alto Networks to secure unpatched firewalls, but the vulnerability has been exploited in the wild as a zero-day since March 26th.
4. It’s reported that a threat group, believed to be state-sponsored and tracked as UTA0218, has exploited the vulnerability to backdoor firewalls using Upstyle malware, pivot to internal networks, and steal data.
5. There are over 156,000 PAN-OS firewall instances on the Internet daily, but the exact number of vulnerable instances is not provided.
6. Threat researcher Yutaka Sejiyama found over 82,000 vulnerable firewalls, with 40% of them located in the United States.
7. Exploit code and a proof-of-concept exploit for the vulnerability have been publicly released by watchTowr Labs, enabling shell command execution on unpatched firewalls.
8. TrustedSec Chief Technology Officer Justin Elze shared an exploit allowing attackers to download the firewall’s configuration file.
9. CISA has added CVE-2024-3400 to its Known Exploited Vulnerabilities (KEV) catalog and ordered U.S. federal agencies to secure their devices by April 19th.
10. Until a patch is available, it’s recommended to disable the device telemetry feature on vulnerable devices and activate ‘Threat ID 95187’ mitigation for users with an active ‘Threat Prevention’ subscription.
These are the main points extracted from the meeting notes.