Palo Alto Networks has released hotfixes to address a major security flaw affecting PAN-OS software that has been actively exploited in the wild.
Classified as CVE-2024-3400 (CVSS Score: 10.0), the critical vulnerability is a command injection case in the GlobalProtect function that an unauthenticated attacker could weaponize to execute arbitrary code with root privileges on the firewall.
Fixes for the issue are available in the following releases:
- PAN-OS 10.2.9-h1
- PAN-OS 11.0.4-h1 e
- PAN-OS 11.1.2-h3
Patches for other commonly deployed maintenance releases are expected to be released in the coming days.
“This issue is only applicable to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect Gateway or GlobalProtect Portal (or both) and device telemetry enabled,” the company clarified in its advisory updated.
It further stated that while Cloud NGFW firewalls are not affected by CVE-2024-3400, specific PAN-OS versions and distinct feature configurations of firewall VMs deployed and managed by customers in the cloud are affected.
The exact origins of the threat actor exploiting the flaw are currently unknown, but Palo Alto Networks Unit 42 is monitoring the malicious activity under the name Operation MidnightEclipse.
Volexity, which attributed it to a cluster called UTA0218, said CVE-2024-3400 has been exploited since at least March 26, 2024 to provide a Python-based backdoor called UPSTYLE on the firewall that allows execution of arbitrary commands via a special artisan requests.
It’s unclear how widespread the exploitation was, but the threat intelligence firm said it had “evidence of potential reconnaissance activity involving more widespread exploitation aimed at identifying vulnerable systems.”
In attacks documented to date, UTA0218 has been observed to deploy additional payloads to launch reverse shells, exfiltrate PAN-OS configuration data, remove log files, and deploy the Golang tunneling tool called GOST (GO Simple Tunnel).
No other malware or persistence methods are said to have been deployed on victim networks, although whether this is by design or timely detection and response is unknown.