Key Points
- A critical flaw in Palo Alto Networks firewalls (CVE-2024-3400) is being exploited to gain complete control over affected systems.
- Patches are available, but temporary mitigations exist for those who cannot immediately update their devices.
- CISA has given federal agencies a short deadline to resolve this vulnerability due to the severity of the threat.
Palo Alto Networks has released emergency security patches addressing a critical vulnerability (CVE-2024-3400) in its PAN-OS firewall software. This maximum severity flaw allows unauthenticated attackers to execute arbitrary code with root privileges on affected firewalls. This is especially dangerous because researchers have confirmed that the vulnerability is under active exploitation, potentially by state-backed threat groups.
Vulnerability Details and Affected Versions
CVE-2024-3400 is a critical command injection vulnerability identified by the security firm Volexity. This vulnerability specifically affects the GlobalProtect feature within Palo Alto Networks’ PAN-OS firewall operating system. Organizations relying on the following PAN-OS versions are vulnerable if they have GlobalProtect enabled in conjunction with device telemetry:
- PAN-OS 10.2 (versions prior to 10.2.9-h1)
- PAN-OS 11.0 (versions prior to 11.0.4-h1)
- PAN-OS 11.1 (versions prior to 11.1.2-h3)
Palo Alto Networks released hotfix patches to remediate this vulnerability on April 14th, 2024. Importantly, the company has confirmed that their Cloud NGFW solutions, Panorama appliances, and Prisma Access products are not susceptible to exploitation via CVE-2024-3400.
Understanding the Vulnerability
A command injection vulnerability allows an attacker to execute unauthorized commands on the affected system. In this case, a successful exploit via CVE-2024-3400 grants the attacker root-level privileges on a vulnerable firewall. Root-level access provides broad control over the device, potentially allowing the attacker to extract sensitive data, install additional malware, or disrupt network operations.
Key Takeaway
Organizations utilizing the affected PAN-OS versions with GlobalProtect and device telemetry features enabled are at significant risk. IT and security teams should prioritize mitigating this threat through patching or implementing temporary countermeasures as outlined by Palo Alto Networks.
Attackers Using ‘Upstyle’ Malware
Volexity researchers were the first to identify in-the-wild exploitation of CVE-2024-3400. Their analysis shows threat actors deploy a custom Python backdoor named ‘Upstyle’ on compromised firewalls. This malware grants the attackers extensive control over vulnerable systems. Due to the sophistication and resources required for such an exploit, Volexity believes the threat group behind these attacks, tracked as UTA0218, is likely a state-sponsored actor.
High Exposure, CISA Warning
Independent scans estimate over 80,000 PAN-OS firewalls are potentially vulnerable to CVE-2024-3400, with 40% located in the United States. Recognizing the severity, the Cybersecurity and Infrastructure Security Agency (CISA) has added this vulnerability to its Known Exploited Vulnerabilities (KEV) catalog and mandated federal agencies to patch or mitigate it by April 19th, 2024.
Mitigations and Urgency
Palo Alto Networks strongly recommends applying available patches immediately. If patching is not feasible, the company provides these temporary mitigations:
- Disable device telemetry on vulnerable firewalls.
- Enable Threat Prevention Threat ID 95187 (if you have a Threat Prevention subscription).
Due to the severity of the vulnerability and ongoing attack campaigns, IT admins should prioritize addressing this issue as a top priority.
CVE-2024-3400 is a critical vulnerability in Palo Alto Networks firewalls under active attack. Organizations using affected versions must act immediately to protect their networks. This means patching vulnerable firewalls as soon as possible. If patching is delayed, the vendor’s temporary mitigations should be implemented without hesitation. The severity of this threat cannot be overstated, and proactive action is essential to prevent the potential compromise of sensitive data and network operations.