April 23, 2024 at 04:59PM
Siemens urges organizations using Ruggedcom APE1808 devices configured with Palo Alto Networks Virtual NGFW to address a critical zero-day bug, CVE-2024-3400, recently disclosed by PAN. The vulnerability allows for command injection and has been exploited by deploying a Python backdoor on affected firewalls. Siemens is working on updates and recommends specific countermeasures until then. Internet exposure remains a critical risk for industrial control system (ICS) and operational technology (OT) settings, with thousands of instances vulnerable.
From the meeting notes, it is clear that there is a serious security vulnerability, identified as CVE-2024-3400, affecting organizations using Siemens’ Ruggedcom APE1808 devices configured with Palo Alto Networks (PAN) Virtual NGFW. The vulnerability has been actively exploited and has been added to the US Cybersecurity and Infrastructure Security Agency (CISA)’s catalog of known exploited vulnerabilities. Palo Alto Networks has issued patches for the vulnerability and warned about proof-of-concept code being publicly available.
Siemens has recommended specific countermeasures for its customers to mitigate the risk, including using specific threat IDs released by PAN to block attacks targeting the vulnerability and considering disabling GlobalProtect gateway and GlobalProtect portal. However, PAN has later withdrawn its recommendation to disable device telemetry, citing ineffectiveness.
The Shadowserver Foundation identified thousands of vulnerable instances of PAN’s NGFW exposed and accessible over the internet, with a significant number located in North America and Asia. The exposure of industrial control system (ICS) and operational technology (OT) equipment to the internet continues to be a major issue, with Forescout identifying nearly 110,000 Internet-facing ICS and OT systems worldwide. It is noted that opportunistic attackers are increasingly abusing this exposure, and the security vendor assessed that the exposure may be linked to systems integrators delivering packaged units inadvertently exposing ICS and OT systems to the internet.
In conclusion, urgent measures should be taken to address the CVE-2024-3400 vulnerability and to safeguard industrial control environments against increasing internet exposure risks.