Palo Alto Networks has started releasing hotfixes for a zero-day vulnerability that has been actively exploited since March 26th to backdoor PAN-OS firewalls.
This maximum severity security flaw (CVE-2024-3400) affects PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls with device telemetry and GlobalProtect (gateway or portal) enabled.
Unauthenticated threat actors can exploit it remotely to gain root code execution via command injection in low-complexity attacks that don’t require user interaction.
« Palo Alto Networks is aware of a limited number of attacks that leverage the exploitation of this vulnerability, » the company warned on Friday when it disclosed the zero-day.
The company has now fixed the security flaw in hotfix releases issued for PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, and PAN-OS 11.1.2-h3. More hotfixes will be rolled out for later PAN-OS versions in the coming days.
According to Palo Alto Networks’ advisory, Cloud NGFW, Panorama appliances, and Prisma Access are not exposed to attacks via this vulnerability.
Admins still waiting for a hotfix can disable the device telemetry feature on vulnerable devices until a patch is deployed. Those with an active ‘Threat Prevention’ subscription can also block ongoing attacks by activating ‘Threat ID 95187’ threat prevention-based mitigation.
Exploited to backdoor firewalls since March
Palo Alto Networks’ warning of active exploitation was confirmed by security firm Volexity, which discovered the zero-day flaw and detected threat actors using it to backdoor PAN-OS devices using Upstyle malware, breach networks, and steal data.
Volexity is tracking this malicious activity under UTA0218 and believes that state-sponsored threat actors are likely behind these ongoing attacks.
« At the time of writing, Volexity was unable to link the activity to other threat activity, » Volexity said on Friday.
« Volexity assesses that it is highly likely UTA0218 is a state-backed threat actor based on the resources required to develop and exploit a vulnerability of this nature, the type of victims targeted by this actor, and the capabilities displayed to install the Python backdoor and further access victim networks. »
Threat researcher Yutaka Sejiyama revealed on Friday that he found over 82,000 PAN-OS devices exposed online and vulnerable to CVE-2024-34000 attacks, 40% in the United States.
CISA has added CVE-2024-3400 to its Known Exploited Vulnerabilities (KEV) catalog, ordering federal agencies to secure their devices by applying the threat mitigation rule or disabling the telemetry within a week by April 19th.