Article Details
Scrape Timestamp (UTC): 2024-04-15 13:01:24.442
Original Article Text
Click to Toggle View
Palo Alto Networks fixes zero-day exploited to backdoor firewalls. Palo Alto Networks has started releasing hotfixes for a zero-day vulnerability that has been actively exploited since March 26th to backdoor PAN-OS firewalls. This maximum severity security flaw (CVE-2024-3400) affects PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls with device telemetry and GlobalProtect (gateway or portal) enabled. Unauthenticated threat actors can exploit it remotely to gain root code execution via command injection in low-complexity attacks that don't require user interaction. "Palo Alto Networks is aware of a limited number of attacks that leverage the exploitation of this vulnerability," the company warned on Friday when it disclosed the zero-day. The company has now fixed the security flaw in hotfix releases issued for PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, and PAN-OS 11.1.2-h3. More hotfixes will be rolled out for later PAN-OS versions in the coming days. According to Palo Alto Networks' advisory, Cloud NGFW, Panorama appliances, and Prisma Access are not exposed to attacks via this vulnerability. Admins still waiting for a hotfix can disable the device telemetry feature on vulnerable devices until a patch is deployed. Those with an active 'Threat Prevention' subscription can also block ongoing attacks by activating 'Threat ID 95187' threat prevention-based mitigation. Exploited to backdoor firewalls since March Palo Alto Networks' warning of active exploitation was confirmed by security firm Volexity, which discovered the zero-day flaw and detected threat actors using it to backdoor PAN-OS devices using Upstyle malware, breach networks, and steal data. Volexity is tracking this malicious activity under UTA0218 and believes that state-sponsored threat actors are likely behind these ongoing attacks. "At the time of writing, Volexity was unable to link the activity to other threat activity," Volexity said on Friday. "Volexity assesses that it is highly likely UTA0218 is a state-backed threat actor based on the resources required to develop and exploit a vulnerability of this nature, the type of victims targeted by this actor, and the capabilities displayed to install the Python backdoor and further access victim networks." Threat researcher Yutaka Sejiyama revealed on Friday that he found over 82,000 PAN-OS devices exposed online and vulnerable to CVE-2024-34000 attacks, 40% in the United States. CISA has added CVE-2024-3400 to its Known Exploited Vulnerabilities (KEV) catalog, ordering federal agencies to secure their devices by applying the threat mitigation rule or disabling the telemetry within a week by April 19th.
Daily Brief Summary
Palo Alto Networks has addressed a zero-day vulnerability, tagged as CVE-2024-3400, affecting several versions of their PAN-OS firewalls including PAN-OS 10.2, 11.0, and 11.1.
The vulnerability, exploited actively since March 26, allowed unauthenticated attackers remote root code execution on targeted devices without user interaction.
Hotfixes have been issued for the affected versions, with additional updates pending for other versions.
The zero-day exploit was utilized to install backdoor access via command injection, facilitating network breaches and data theft, possibly by state-sponsored actors identified as UTA0218.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has recognized the urgency of the breach, adding the vulnerability to its Known Exploited Vulnerabilities catalog.
Security measures recommended include disabling device telemetry until patches are applied and activating threat mitigation tools for those with 'Threat Prevention' subscriptions.
Over 82,000 PAN-OS devices were found exposed, with a significant portion located in the United States.