Palo Alto Networks has launched hotfixes to deal with a maximum-severity safety flaw impacting PAN-OS software program that has come beneath energetic exploitation within the wild.
Tracked as CVE-2024-3400 (CVSS rating: 10.0), the important vulnerability is a case of command injection within the GlobalProtect characteristic that an unauthenticated attacker may weaponize to execute arbitrary code with root privileges on the firewall.
Fixes for the shortcoming can be found within the following variations –
- PAN-OS 10.2.9-h1
- PAN-OS 11.0.4-h1, and
- PAN-OS 11.1.2-h3
Patches for different generally deployed upkeep releases are anticipated to be launched over the following few days.
“This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal (or both) and device telemetry enabled,” the corporate clarified in its up to date advisory.
It additionally mentioned that whereas Cloud NGFW firewalls usually are not impacted by CVE-2024-3400, particular PAN-OS variations and distinct characteristic configurations of firewall VMs deployed and managed by clients within the cloud are affected.
The precise origins of the menace actor exploiting the flaw are presently unknown however Palo Alto Networks Unit 42 is monitoring the malicious exercise beneath the identify Operation MidnightEclipse.
Volexity, which attributed it to a cluster dubbed UTA0218, mentioned CVE-2024-3400 has been leveraged since a minimum of March 26, 2024, to ship a Python-based backdoor referred to as UPSTYLE on the firewall that permits for the execution of arbitrary instructions through specifically crafted requests.
It’s unclear how widespread the exploitation has been, however the menace intelligence agency mentioned it has “evidence of potential reconnaissance activity involving more widespread exploitation aimed at identifying vulnerable systems.”
In assaults documented so far, UTA0218 has been noticed deploying further payloads to launch reverse shells, exfiltrate PAN-OS configuration knowledge, take away log recordsdata, and deploy the Golang tunneling device named GOST (GO Easy Tunnel).
No different follow-up malware or persistence strategies are mentioned to have been deployed on sufferer networks, though it is unknown if it is by design or on account of early detection and response.
Author: information@thehackernews.com (The Hacker Information)
Date: 2024-04-15 04:17:00
