Siemens is urging organizations using its Ruggedcom APE1808 devices configured with Palo Alto Networks (PAN) virtual NGFW to implement workarounds for a high-severity zero-day bug that PAN recently disclosed in its next-generation firewall product.
The command injection vulnerability, identified as CVE-2024-3400, affects multiple versions of PAN-OS firewalls when certain features are enabled on them. An attacker exploited the flaw to deploy a new Python backdoor on affected firewalls.
Actively exploited
PAN has corrected the defect after Volexity researchers discovered the vulnerability and reported it to the security vendor earlier this month. The US Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-3400 to its catalog of known exploited vulnerabilities following reports of multiple groups attacking the flaw.
Palo Alto Networks itself said yes aware of the growing number of attacks exploiting CVE-2024-3400 and warned about the public availability of proof-of-concept code for the flaw.
According to Siemens, its Ruggedcom APE1808 product, commonly used as edge devices in industrial control environments, is vulnerable to the problem. Siemens described all product versions with PAN Virtual NGFW configured with the GlobalProtect gateway or GlobalProtect portal (or both) as affected by the vulnerability.
In an advisory, Siemens said it is working on updates for the bug and recommended specific countermeasures that customers should take in the meantime to mitigate the risk. Measures include using specific threat IDs issued by PAN to block attacks targeting the vulnerability. Siemens’ advisory highlighted the PAN’s recommendation to disable the GlobalProtect gateway and GlobalProtect portal and reminded customers that the features are already disabled by default in Ruggedcom APE1808 deployment environments.
PAN also initially recommended that organizations disable device telemetry to protect against attacks targeting the flaw. The security vendor later withdrew that advice, citing ineffectiveness. “It is not necessary to enable device telemetry for PAN-OS firewalls to be exposed to attacks related to this vulnerability,” the company noted.
Siemens urged customers, as a general rule, to protect network access to devices in industrial control environments with appropriate mechanisms, stating: “To use devices in a secure IT environment, Siemens recommends configuring the environment according to Siemens operational guidelines for Industrial Safety.”
The Shadowserver Foundation, which monitors the Internet for threat-related traffic, identified approximately 5,850 vulnerable cases of the PAN’s NGFW displayed and accessible on the Internet starting from April 22nd. About 2,360 of the vulnerable cases appear to be located in North America; Asia accounts for the second highest number with approximately 1,800 exposed cases.
Internet-exposed devices continue to pose a critical risk to ICS/OT
It is unclear how many of these exposed cases are in industrial control systems (ICS) and operational technology (OT) contexts. But in general, Internet exposure continues to be a major issue in ICS and OT environments. A new survey by Forestcout discovered nearly 110,000 Internet-connected ICS and OT systems worldwide. The United States leads the way, accounting for 27% of exposed cases. However, that number was significantly lower than a few years ago. In contrast, Forescout found a sharp increase in the number of ICS/OT equipment exposed to the Internet in other countries, including Spain, Italy, France, Germany and Russia.
“Opportunistic attackers increasingly abuse this large-scale exposure, sometimes with very lax targeting logic driven by trends, such as current events, copycat behavior, or emergencies found in new off-the-shelf features or hacking guides,” Forescout said. . The security vendor assessed that the exposure had to do, at least in part, with systems integrators delivering packages with components that inadvertently expose ICS and OT systems to the Internet. “In all likelihood,” Forescout said, “most asset owners are unaware of these packaged units containing exposed OT devices.”