Palo Alto Networks has recently issued urgent fixes to remedy a critical security vulnerability affecting PAN-OS software. This vulnerability tracked as CVE-2024-3400 with a severity score of 10.0 (CVSS), has been actively exploited in the wild.
The vulnerability involves a case of command injection within the GlobalProtect feature, which could be exploited by unauthorized attackers to execute arbitrary code with root privileges on the firewall. The following versions have received patches to address this issue:
– PAN-OS 10.2.9-h1
– PAN-OS 11.0.4-h1
– PAN-OS 11.1.2-h3
Additional patches for other commonly deployed maintenance releases are expected to be rolled out in the coming days. Palo Alto Networks specified that this vulnerability affects only PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal (or both) and with device telemetry enabled.
Although Cloud NGFW firewalls remain unaffected by CVE-2024-3400, certain PAN-OS versions and feature configurations of firewall VMs deployed and managed by customers in the cloud are vulnerable to CVE-2024-3400.
The identity of the threat actor exploiting this flaw is currently unknown. Palo Alto Networks Unit 42 is actively monitoring the malicious activity under the codename Operation MidnightEclipse. Volexity, attributing the activity to a cluster named UTA0218, revealed that CVE-2024-3400 has been exploited since at least March 26, 2024. The attackers have been using a Python-based backdoor called UPSTYLE on the firewall to execute arbitrary commands via specially crafted requests.
Although the extent of exploitation remains uncertain, Volexity reported evidence of potential reconnaissance activities aimed at identifying vulnerable systems for exploitation. In documented attacks, UTA0218 has been observed deploying additional payloads to establish reverse shells, exfiltrate PAN-OS configuration data, remove log files, and deploy the Golang tunneling tool known as GOST (GO Simple Tunnel).
There have been no reports of additional malware or persistence methods being deployed on victim networks, though it’s unclear whether this is intentional or due to early detection and response measures.