Palo Alto Networks is publishing fixes for a flaw in its PAN-OS software that could allow an unauthenticated attacker to execute code on some of its firewalls.
The company said that a critical command injection vulnerability in PAN-OS could allow an attacker to execute arbitrary code with root privileges on a firewall. It said the vulnerability has a CVSS score of 10 out of 10, making it critical in severity.
This issue applies only to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect Gateway or GlobalProtect Portal (or both) and device telemetry enabled. Palo Alto Networks said the flaw does not affect cloud firewalls (Cloud NGFW), Panorama or Prisma Access devices.
Late last week, the company said it was aware of malicious exploitation of the flaw. “We are tracking the initial exploitation of this vulnerability under the name Operation MidnightEclipse, as we assess with high confidence that the known exploit we have analyzed so far is limited to a single threat actor,” Palo Alto Networks wrote.
“Therefore, it is imperative that organizations act quickly to implement recommended mitigations and conduct compromise reviews of their devices to see if further internal investigation of their networks is required,” the researchers wrote.
Palo Alto Networks said the issue is now fixed in hotfix versions of PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and all subsequent versions of PAN-OS. YOU. Revisions for other common versions will also currently be released, with a schedule set out in the company document. CVE-2024-3400 security notice.
However, he also said that additional attackers could try to exploit the flaw in the future.
“As a best practice, Palo Alto Networks recommends monitoring your network for abnormal activity and investigating any unexpected activity on the network,” it said. Palo Alto Networks customers with a Threat Prevention subscription could block attacks from this vulnerability by enabling threat ID 95187.
It also noted: “If you are unable to apply Threat Prevention-based mitigation at this time, you can still mitigate the impact of this vulnerability by temporarily disabling device telemetry until the device is updated to a fixed version of PAN-OS. Once updated, device telemetry must be re-enabled on the device.”
Evidence of state-backed exploitation
The flaw was last discovered when security company Volexity received alerts about suspicious network traffic from the firewall of one of its network security monitoring clients.
A day later, the company saw identical exploitation of another of its clients by the same group. The attacker, tracked by Volexity as UTA0218, was able to remotely exploit the firewall device, create a reverse shell, and download more tools to the device. The attacker focused on exporting configuration data from the device and then using it as an entry point to advance.
The company said the attackers were observed attempting to install a custom Python backdoor into the firewall, which would allow them to execute additional commands on the device.
While investigating further, Volexity discovered that the flaw had been successfully exploited in multiple organizations since March 26. Those attempts appear to be the attacker testing the vulnerability by placing zero-byte files on firewall devices.
Volexity considered it likely that UTA0218 is a state-backed group, due to the resources required to develop such a flaw, the type of victims this actor targets, and the attackers' ability to install the Python backdoor.
The company said that, as is often the case with public vulnerability disclosures, there is likely to be an increase in exploitation as attackers attempt to exploit the flaw before mitigations and patches are implemented. With this in mind, businesses should ensure their patch management strategy is up to date and act quickly to address the issue.