Palo Alto Networks is issuing fixes for a flaw in its PAN-OS software that could allow an unauthenticated attacker to execute code on some of its firewalls.
The company said a critical command injection vulnerability in PAN-OS could enable an attacker to execute arbitrary code with root privileges on a firewall. It said the vulnerability has a CVSS score of 10 out of 10, making it critical in severity.
This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal (or both) and device telemetry enabled. Palo Alto Networks said the flaw does not affect cloud firewalls (Cloud NGFW), Panorama appliances, or Prisma Access.
Late last week the company said it was aware of malicious exploitation of the flaw. “We are tracking the initial exploitation of this vulnerability under the name Operation MidnightEclipse, as we assess with high confidence that known exploitation we’ve analyzed thus far is limited to a single threat actor,” Palo Alto Networks wrote.
“It is therefore imperative that organizations act quickly to deploy recommended mitigations and perform compromise reviews of their devices to check whether further internal investigation of their networks is required,” researchers wrote.
Palo Alto Networks said the issue is now fixed in hotfix releases of PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and all later PAN-OS versions. Hotfixes for other common releases will also be released presently, with a timeline laid out in the firm's CVE-2024-3400 security advisory.
However, it also said additional attackers might attempt to exploit the flaw in the future.
“As a matter of best practice, Palo Alto Networks recommends that you monitor your network for abnormal activity and investigate any unexpected network activity,” it said. Palo Alto Networks customers with a Threat Prevention subscription could block attacks for this vulnerability by enabling Threat ID 95187.
It also noted: “If you are unable to apply the Threat Prevention based mitigation at this time, you can still mitigate the impact of this vulnerability by temporarily disabling device telemetry until the device is upgraded to a fixed PAN-OS version. Once upgraded, device telemetry should be re-enabled on the device.”
Evidence of state-backed exploitation
The flaw was discovered last when security company Volexity received alerts about suspect network traffic from the firewall of one of its network security monitoring customers.
A day later, the company saw an identical exploitation of another of its customers by the same group. The attacker, which Volexity tracks as UTA0218, was able to remotely exploit the firewall device, create a reverse shell, and download further tools onto the device. The attacker focused on exporting configuration data from the device and then using it as an entry point to move further.
The company said the attackers were observed attempting to install a custom Python backdoor on the firewall, which would allow them to execute additional commands on the device.
Discover why IT automation is taking center stage in the age of AI
As it investigated further, Volexity found that there had been successful exploitation of the flaw at multiple organizations dating back to 26 March. Those attempts appear to be the attacker testing out the vulnerability by placing zero-byte files on firewall devices.
Volexity found it likely that UTA0218 is a state-backed group, due to the resources needed to develop such a flaw, the type of victims targeted by this actor, and the attackers’ ability to install the Python backdoor.
The company said that – as is often the case with public disclosures of vulnerabilities – there is likely to be a spike in exploitation as attackers try to use the flaw before mitigations and patches are deployed. With this in mind, businesses should ensure their patch management strategy is up-to-date and act quickly to address the flaw.
