Palo Alto Networks has started releasing hotfixes for a zero-day vulnerability that has been actively exploited since March 26th to backdoor PAN-OS firewalls.
This security flaw (CVE-2024-3400) affects PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls with device telemetry and GlobalProtect (gateway or portal) enabled.
“Palo Alto Networks is aware of a limited number of attacks that leverage the exploitation of this vulnerability,” the company warned on Friday when it disclosed the zero-day.
The Zero-Day Enabling Easy System Compromise
What makes CVE-2024-3400 so dangerous is that it allows unauthenticated remote code execution via a relatively simple command injection attack.
No user interaction is required, enabling threat actors to gain full system control over vulnerable Palo Alto firewalls through low-complexity exploits.
Also Read: How Cloudflare uses lava lamps to strengthen website encryption
Palo Alto has rushed to release hotfix updates to address the flaw, starting with PAN-OS 10.2.9-h1, 11.0.4-h1, and 11.1.2-h3, with patches for later versions in development. Until a fix is available, the vendor advises disabling the device telemetry feature or using a threat prevention signature if the organization has an active subscription.
The cybersecurity firm Volexity, which discovered and reported the zero-day vulnerability, has been tracking active exploitation by a suspected state-sponsored group using the flaw to install backdoors like the Upstyle malware on PAN-OS devices.
“Volexity assesses that it is highly likely UTA0218 is a state-backed threat actor based on the resources required to develop and exploit a vulnerability of this nature, the type of victims targeted by this actor, and the capabilities displayed to install the Python backdoor and further access victim networks,” Volexity stated.
Also Read: Sophos named a leader in Endpoint Security for midsize businesses by IDC MarketScape
Once the attackers gain an initial foothold through the compromised firewall, they are moving laterally to breach the wider corporate network and steal sensitive data.
Over 82,000 Vulnerable Palo Alto Firewalls Exposed Online
The severity of the situation is compounded by the widespread exposure of vulnerable Palo Alto firewalls. Security researcher Yutaka Sejiyama found over 82,000 instances accessible from the internet, with 40% of them located in the United States.
The disclosure of this zero-day and evidence of ongoing attacks is a major blow to Palo Alto Networks’ reputation as a leading cybersecurity vendor.
Customers are likely questioning how such a glaring vulnerability made it through testing and quality assurance checks.
While the company has been quick to respond with fixes, concerns will linger about unpatched versions and the potential for future zero-days lurking in PAN-OS.
Palo Alto will need to double down on secure development practices to restore customer confidence shaken by this incident.
Organizations still running vulnerable versions of the PAN-OS firewalls must treat this as a top priority threat. Applying the hotfix updates or implementing the vendor’s workarounds is imperative to prevent compromise by the threat actors actively exploiting this zero-day vulnerability against global targets.
