Palo Alto Networks has launched hotfixes to tackle a maximum-severity security flaw impacting PAN-OS software program that has arrive less than active exploitation in the wild.
Tracked as CVE-2024-3400 (CVSS score: 10.), the critical vulnerability is a scenario of command injection in the GlobalProtect element that an unauthenticated attacker could weaponize to execute arbitrary code with root privileges on the firewall.
Fixes for the shortcoming are out there in the following versions –
- PAN-OS 10.2.9-h1
- PAN-OS 11..4-h1, and
- PAN-OS 11.1.2-h3
Patches for other commonly deployed maintenance releases are anticipated to be released more than the subsequent few times.
“This issue is relevant only to PAN-OS 10.2, PAN-OS 11., and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal (or both) and product telemetry enabled,” the firm clarified in its up to date advisory.
It also explained that though Cloud NGFW firewalls are not impacted by CVE-2024-3400, certain PAN-OS variations and distinct element configurations of firewall VMs deployed and managed by customers in the cloud are affected.
The correct origins of the danger actor exploiting the flaw are presently not known but Palo Alto Networks Device 42 is tracking the destructive exercise beneath the name Operation MidnightEclipse.
Volexity, which attributed it to a cluster dubbed UTA0218, claimed CVE-2024-3400 has been leveraged considering that at minimum March 26, 2024, to supply a Python-based backdoor termed UPSTYLE on the firewall that will allow for the execution of arbitrary commands by using specifically crafted requests.
It is unclear how prevalent the exploitation has been, but the menace intelligence firm claimed it has “proof of possible reconnaissance exercise involving much more common exploitation aimed at figuring out susceptible units.”
In assaults documented to day, UTA0218 has been observed deploying additional payloads to start reverse shells, exfiltrate PAN-OS configuration information, take away log documents, and deploy the Golang tunneling resource named GOST (GO Basic Tunnel).
No other abide by-up malware or persistence strategies are claimed to have been deployed on victim networks, whilst it can be not known if it really is by layout or thanks to early detection and reaction.
Found this post fascinating? Comply with us on Twitter and LinkedIn to go through additional special information we put up.
Some parts of this article are sourced from:
thehackernews.com