April 17, 2024 at 07:19AM
A recently disclosed vulnerability in Palo Alto Networks firewall, tracked as CVE-2024-3400, is under increasing exploitation after proof-of-concept code was made available. The flaw enables attackers to execute arbitrary code with root privileges on affected firewalls. Various threat intelligence companies have been tracking the attacks, with patches and mitigations being provided by the vendor.
From the provided meeting notes, the key points are as follows:
1. A vulnerability tracked as CVE-2024-3400 in Palo Alto Networks firewalls is being increasingly exploited after proof-of-concept (PoC) code was made available.
2. The flaw allows remote, unauthenticated attackers to execute arbitrary code with root privileges on firewalls with the GlobalProtect feature and device telemetry enabled.
3. Volexity reported attacks involving exploitation of CVE-2024-3400, with a threat actor tracked as UTA0218, possibly a state-sponsored group, leveraging the vulnerability to infiltrate internal networks and exfiltrate data, and in some cases attempting to deploy a previously undocumented Python backdoor named Upstyle.
4. Palo Alto Networks has released patches for some affected versions of PAN-OS, with more expected later in the week; however, the company has advised that disabling device telemetry is not an effective mitigation.
5. Technical details and exploit code for CVE-2024-3400 are available from WatchTowr and Rapid7’s AttackerKB website.
6. The Shadowserver Foundation and GreyNoise have both observed exploitation attempts on vulnerable Palo Alto Networks firewalls, with roughly 150,000 internet-exposed instances identified by Censys.
Please let me know if you need any further information or assistance!