Palo Alto Networks (PAN) is sharing updated remediation information regarding a highly critical vulnerability that is being actively exploited in the wild.
The vulnerability, tracked as CVE-2024-3400, has a CVSS Vulnerability Severity Score of 10 out of 10 and could allow an unauthenticated threat actor to execute arbitrary code with root privileges on the firewall device, according to the update.
Present in PAN-OS 10.2, 11.0 and 11.1, the flaw was originally discovered on April 12 after being discovered by Volexity researchers.
PAN said that the number of attacks exploiting this vulnerability continues to grow and that “evidence of this vulnerability has been publicly disclosed by third parties.”
The company recommends customers upgrade to a fixed version of PAN-OS, such as PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and all PAN- Subsequent OS. Operating system versions, as this will fully protect their devices. PAN has also released additional hotfixes for other maintenance releases deployed.
PAN recommends, to fully mitigate the issue, that customers take actions based on the suspicious activity. For example, if a survey or test activity was performed, users should update to the latest PAN-OS hotfix and protect running configurations, create a master key AND elect AES-256-GCM. This is defined as there being no indication of a compromise or evidence that the vulnerability being tested on the device (for example, a 0 byte file was created and resides in the firewall, but there is no indication of any information unauthorized known execution of the command).
“PAN-OS hotfixes sufficiently address the vulnerability,” according to the update. “Restoring private data or factory reset is not recommended as there is no indication of unauthorized command execution or file exfiltration.”
However, if a file on the device has been copied to a location accessible via a web request (in most cases, the file to copy is running_config.xml, according to PAN), users should perform a private data recovery, which eliminates the risks of potential misuse of device data. And if there is evidence of interactive command execution (e.g., presence of shell-based backdoors, code injection, file extraction, command execution), PAN suggested performing a full factory reset.