Palo Alto Networks has released hotfixes to address a critical security flaw in its PAN-OS software that is actively being exploited in the wild. The vulnerability, tracked as CVE-2024-3400, allows an attacker to execute arbitrary code with root privileges on the firewall through command injection in the GlobalProtect feature. Fixes are available for specific versions, with patches for other releases expected soon.
The vulnerability affects PAN-OS 10.2, 11.0, and 11.1 firewalls configured with GlobalProtect gateway or portal and device telemetry enabled. Cloud NGFW firewalls are not impacted, but certain PAN-OS versions and feature configurations of customer-managed firewall VMs in the cloud are vulnerable. The threat actor exploiting the flaw, known as Operation MidnightEclipse, has been using it to deliver a Python-based backdoor named UPSTYLE since at least March 26, 2024.
The exact origins of the threat actor are unknown, but Volexity has linked the activity to a cluster called UTA0218. The exploitation of CVE-2024-3400 has involved deploying additional payloads such as reverse shells, exfiltration of configuration data, log file removal, and the use of the GOST tunneling tool. While the extent of the exploitation is unclear, there is evidence of reconnaissance activity targeting vulnerable systems.
No follow-up malware or persistence methods have been observed on victim networks so far. It is unknown whether this is intentional or due to early detection and response efforts. Palo Alto Networks and security firms are actively monitoring the situation and providing updates as more information becomes available. Users are advised to apply the necessary patches to protect their systems from potential exploitation.
Source link