Critical Palo Alto Networks PAN-OS zero-day exploited

Yesterday a zero-day critical vulnerability, designated CVE-2024-3400, was revealed to be actively exploited. The unauthenticated remote code execution issue, with a CVSS base score of 10.0, impacts Palo Alto Networks PAN-OS versions 10.2, 11.0, and 11.1.

A security advisory has been published providing a timeline for resolution, which is expected by April 14, 2024. CISA has added CVE-2024-3400 to its Known Exploited Vulnerabilities (KEV) catalog, with a patching deadline set for April 19, 2024.

Overview of the PAN-OS exploit

The vulnerability impacts specific versions of PAN-OS with a GlobalProtect gateway and enabled device telemetry. The vulnerability only impacts PAN-OS 10.2, 11.0, and 11.1, versions 10.1 and lower are unaffected. Additionally, Cloud NGFW, Panorama appliances, and Prisma Access remain unaffected.

It has been reported that there are currently 82,000 firewalls vulnerable to the exploit. Administrators with vulnerable versions of PAN-OS can check if a GlobalProtect gateway is configured by checking for entries in your firewall web interface (Network > GlobalProtect > Gateways) and verify whether device telemetry is enabled by checking the firewall web interface (Device > Setup > Telemetry).

The vulnerability, discovered by researchers at Volexity, is quite novel as it utilizes 404 pages for command injection (CWE-77). Attackers modify the URI of the non-existent pages to execute commands in compromised machines.

“The technique is particularly interesting as the entry point appears to have been 404 pages. This is not a place where people usually look for bugs"

Melvin Lammerts, Hacking Manager at Hadrian

Initial exploitation attempts were observed as early as March 26, 2024. Upon exploiting this vulnerability threat actors have been observed deploying additional tools. The attackers then moved laterally across networks, extracting sensitive credentials and files.

Recommended Mitigation

As CVE-2024-3400 is being actively exploited action should be taken immediately. Palo Alto has fixed the issue in releases of PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and in all later PAN-OS versions. If you are unable to apply the fix the following mitigating actions should be taken:

Those with active 'Threat Prevention' subscriptions can block attacks by activating 'Threat ID 95187'.
Ensure that 'GlobalProtect Interfaces' are configured to prevent exploitation, details here.
Disable device telemetry until a fix is available and applied, instructions here.

There has been a noticeable increase in the number of network zero-days used to compromise corporate networks. These often require specialized skills and significant time to develop, typically the hallmarks of state-sponsored threat actors. For more detailed information on mitigation strategies and to understand how these vulnerabilities may affect your organization, you can reach out to one of Hadrian’s security expert here.