Palo Alto Networks Zero-Day Exploited: A Comprehensive Analysis of the Exploit, Impact, and Prevention

April 14, 2024

Palo Alto Networks Zero-Day Exploited: A Comprehensive Analysis of the Exploit, Impact, and Prevention

This blog highlights the exploitation of a zero-day vulnerability in Palo Alto Networks' firewall product by highly skilled hackers, resulting in unauthorized access to multiple corporate networks. This exploit has significant implications due to its critical nature and the potential for severe damage to affected systems. The article aims to delve into the exploit's, impact, and preventive measures to provide a thorough analysis of the situation.

Zero Day Vulnerability Details

The zero-day vulnerability, tracked as CVE-2024-3400, has been exploited since March,2024 and has a maximum severity rating of 10.0, indicating its critical nature. The vulnerability exists in PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls when they are configured to use both the GlobalProtect gateway and device telemetry.

To verify whether you have a GlobalProtect gateway or GlobalProtect portal configured, you can check for entries in your firewall web interface. Specifically, look for GlobalProtect gateways under Network > GlobalProtect > Gateways and GlobalProtect portals under Network > GlobalProtect > Portals. To check whether you have device telemetry enabled, you can look for the telemetry feature under Device > Setup > Telemetry in your firewall web interface

This vulnerability allows hackers to execute malicious code with root privileges, the highest level of system access, without requiring any authentication. Volexity, the security firm that discovered the zero-day attacks, has stated that they are currently unable to link the attackers to any previously known groups.

Impact

The ongoing attacks represent the latest in a series of assaults on firewalls, VPNs, and file-transfer appliances, which are popular targets due to their abundance of vulnerabilities and direct access to the most sensitive areas of a network. Palo Alto Networks has yet to release a patch for the vulnerability but has advised affected customers to follow the workaround and mitigation measures provided

Based on the resources required and the targeted organizations, the attackers are considered "highly capable" and likely backed by a nation-state. So far, only a single threat group, which Volexity tracks as UTA0218, has been observed exploiting the vulnerability in limited attacks. The company cautions that as more groups learn of the vulnerability, CVE-2024-3400, is likely to face widespread exploitation, similar to recent zero-days affecting products from Ivanti, Atlassian, Citrix, and Progress.

Affected & Unaffected

The issue described is applicable to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls that are configured with both the Global Protect gateway and device telemetry enabled.

Versions	Affected	Unaffected
Cloud NGFW	None	All
PAN-OS 11.1	< 11.1.2-h3	>= 11.1.2-h3 (ETA: By 4/14)
PAN-OS 11.0	< 11.0.4-h1	>= 11.0.4-h1 (ETA: By 4/14)
PAN-OS 10.2	< 10.2.9-h1	>= 10.2.9-h1 (ETA: By 4/14)
PAN-OS 10.1	None	All
PAN-OS 10.0	None	All
PAN-OS 9.1	None	All
PAN-OS 9.0	None	All
Prisma Access	None	All

Prevention and Mitigation

Palo Alto Networks has provided several recommended workarounds and mitigations for the issue,

Enable Threat Prevention Threat ID 95187 if available. This mitigation measure can help protect your devices from the exploitation of CVE-2024-3400.
If Threat Prevention Threat ID 95187 is not available, consider disabling device telemetry as a temporary solution until patches are released by the vendor. Disabling telemetry can help prevent potential attackers from gaining valuable information about your device's configuration and vulnerabilities.

CVE Information

CVE-2024-3400

Critical

Description: A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Fixes for PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 are in development and are expected to be released by April 14, 2024. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability. All other versions of PAN-OS are also not impacted.

CVSS V2	CVSS v3
Base score: 10	Base Score: 10
Severity: Critical	Severity: Critical
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C	Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Conclusion

The Palo Alto Networks zero-day exploit highlights the importance of organizations taking swift action to deploy recommended mitigations and perform compromise reviews of their devices to determine if further investigation of their networks is necessary. As more groups learn of the vulnerability, it is likely to face widespread exploitation, similar to recent zero-days affecting products from Ivanti, Atlassian, Citrix, and Progress. Therefore, it is crucial for organizations to take immediate action to protect their networks and systems from potential attacks.

Related Articles

Palo Alto Networks zero-day exploited since March to backdoor firewalls (bleepingcomputer.com)
CVE - CVE-2024-3400 (mitre.org)
NVD - CVE-2024-3400 (nist.gov)

Search This Blog

Cybercoverinfo