Palo Alto Networks has disclosed additional information regarding a critical security vulnerability in PAN-OS that has been actively exploited by malicious actors in the wild.
The company has identified the vulnerability as CVE-2024-3400 (CVSS score: 10.0), describing it as a complex issue resulting from two bugs found in versions PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1.
“One of the bugs allowed the GlobalProtect service to store session IDs without proper validation, enabling attackers to store an empty file with a chosen filename,” explained Chandan B. N., senior director of product security at Palo Alto Networks in a statement.
“The second bug, which presumed the files were system-generated, used the filenames as part of a command execution process.”
The combination of these two bugs could lead to remote shell command execution, emphasizing the severity of the vulnerability.
The threat actor responsible for exploiting this zero-day flaw, known as UTA0218, conducted a sophisticated two-stage attack to achieve command execution on vulnerable devices. This campaign is referred to as Operation MidnightEclipse.
As observed by Volexity and Unit 42, the attack involved sending specialized requests with commands to be executed, leveraging a backdoor tool named UPSTYLE.
Unit 42 highlighted that the initial persistence mechanism established by UTA0218 involved setting up a cron job to retrieve and execute payloads from an attacker-controlled URL using wget and bash commands.
“In stage 1, the attacker sends a meticulously crafted shell command instead of a valid session ID to GlobalProtect,” Chandan elaborated. “This process results in creating an empty file on the system with the attacker’s chosen command embedded in the filename.”
“In stage 2, a scheduled system job unwittingly uses the attacker-provided filename in a command execution process, granting the attacker elevated privileges for running the supplied command.”
Palo Alto Networks initially mentioned that mitigating CVE-2024-3400 required specific firewall configurations and device telemetry to be enabled. However, subsequent findings by Bishop Fox revealed bypasses that allowed exploitation without telemetry being enabled.
The company has released expanded patches for various versions, including PAN-OS 10.2.x, 11.0.x, and 11.1.x, to address the vulnerability effectively.
Given the active exploitation of this flaw and the existence of proof-of-concept exploit code, users are strongly advised to apply the provided hotfixes promptly to safeguard their systems.
CISA has also included the vulnerability in its Known Exploited Vulnerabilities list, urging federal agencies to secure their devices by a specified deadline.
According to data shared by the Shadowserver Foundation, thousands of exposed firewall devices are potentially vulnerable to CVE-2024-3400, with a majority located in several countries, emphasizing the urgent need for patching to mitigate risks.
