Palo Alto Networks has released guidance for addressing a critical security vulnerability affecting PAN-OS, which has been actively exploited in the wild.
The vulnerability, identified as CVE-2024-3400 with a CVSS score of 10.0, enables unauthenticated remote shell command execution on vulnerable devices. Palo Alto Networks has patched this flaw in multiple versions of PAN-OS, including 10.2.x, 11.0.x, and 11.1.x.
Evidence suggests that threat actors, identified as UTA0218 and operating under the codename Operation MidnightEclipse, have been exploiting this zero-day vulnerability since at least March 26, 2024. They utilize the flaw to deploy a Python-based backdoor named UPSTYLE, allowing them to execute commands via specially crafted requests.
Although the intrusions have not been directly attributed to a specific threat actor or group, the sophisticated techniques employed and the targeted victims suggest possible state-sponsored involvement.
Palo Alto Networks outlines the following remediation steps based on the extent of compromise:
- Level 0 Probe: If there’s evidence of an unsuccessful exploitation attempt, update to the latest provided hotfix.
- Level 1 Test: If there are indications of vulnerability testing, such as the creation of an empty file on the firewall without unauthorized command execution, update to the latest provided hotfix.
- Level 2 Potential Exfiltration: If there are signs of potential data exfiltration, such as copying files like “running_config.xml” to a web-accessible location, update to the latest provided hotfix and perform a Private Data Reset.
- Level 3 Interactive Access: If there’s evidence of interactive command execution, such as the introduction of backdoors or other malicious code, update to the latest provided hotfix and perform a Factory Reset.
“Palo Alto Networks recommends performing a private data reset to eliminate the risks of potential data misuse. A factory reset is advised due to evidence of more intrusive threat actor activity,” the company stated.
Following these remediation steps can help mitigate the risks posed by this critical vulnerability and secure PAN-OS devices against exploitation.