Palo Alto Networks PAN-OS Zero-Day Active Exploit: What You Need to Know

Palo Alto Networks issued a warning on April 12, 2024, that a critical, unpatched vulnerability in their PAN-OS firewall is being actively exploited.
Varonis Threat Labs
2 min read
Last updated April 16, 2024
PAN-OS Zero-Day Active Exploit

Palo Alto Networks has warned that a critical, unpatched vulnerability in their PAN-OS firewall is being actively exploited.

CVE-2024-3400 is a critical vulnerability for Palo Alto Networks PAN-OS software — specifically impacting devices that run major versions of PAN-OS 10.2, 11.0, and 11.1.

The vulnerability allows for command injection by remote unauthenticated attackers that enable threat actors to run commands with elevated privileges on affected devices. This flaw requires no special privileges or user interaction to exploit.

CVE-2024-3400 does not affect cloud firewalls (Cloud NGFW), Panorama appliances, or Prisma Access. An overview of the impact can be seen in the table below:

pan-os 

This issue is estimated to be fixed in an upcoming release of PAN-OS 10.2, 11.0, 11.1, and all later PAN-OS versions by April 14, 2024. 

Is CVE-2024-3400 being actively exploited in the wild?

Yes, this CVE is being actively exploited. An initial exploitation under the name Operation Midnight Eclipse has been attributed to a single threat actor.

There is high confidence that other threat actors will attempt exploitation in the future.

What does this mean for my organization?

If you are a Palo Alto Networks customer with PAN-OS, it's recommended to closely monitor your network for abnormal activity and investigate any unexpected activity. A list of known IOCs associated with exploitation attempts/post-exploitation is available here.  In the interim, Palo Alto recommends the following mitigation measures: 

  • Customers with an active Threat Prevention subscription can block attacks related to this vulnerability by enabling Threat ID 95187
  • Additionally, ensure that vulnerability protection is applied to the GlobalProtect interface to prevent exploitation on affected devices 

If your organization is unable to apply the Threat Prevention mitigation, there’s an alternative.

The vulnerability only exists if both a GlobalProtect gateway is configured (Network -> GlobalProtect ->Gateways) and device telemetry is enabled (Device -> Setup -> Telemetry). Customers can mitigate the impact of this vulnerability by temporarily disabling device telemetry (and then re-enable it once the hotfix is applied). 

As of April 16, 2024, Palo Alto Networks has begun issuing hotfixes to remediate this vulnerability for their various PAN-OS release versions. Check Palo Alto Networks Security Advisories to determine if a patch is available for your current PAN-OS version or an estimate for when a patch is expected if one is not yet available. 

Currently, hotfixes are available for the following versions: 

  • 10.2.9-h1 
  • 10.2.8-h3 
  • 10.2.7-h8 
  • 11.0.4-h1 
  • 11.1.2-h3

How can Varonis Help?

With Varonis Edge, customers can protect themselves and their network security by taking the following actions:

  • Monitor Varonis for alerts generated from Palo Alto infrastructure specifically or related service accounts 
  • Audit all activity originating from Palo Alto infrastructure to verify no abnormal device, user, or file access has occurred 
  • Monitor DNS requests originating from Palo Alto infrastructure to ensure no anomalous or suspicious requests have been generated 
  • Monitor Proxy events originating from Palo Alto infrastructure to ensure no anomalous or suspicious events have been generated 

If you have our network monitoring product and are using Varonis' cloud-hosted offering, our threat research team is proactively hunting for threats. They review your Varonis logs for suspicious activity and will contact you if needed.

If you are a Palo Alto Networks customer and want assistance hunting for IOCs in PAN-OS, please reach out to our team

Update:

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:

1

Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.

2

See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.

3

Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

speed-data:-the-benefits-of-simplicity-with-mark-bruns
Speed Data: The Benefits of Simplicity With Mark Bruns
CISO Mark Burns shares cybersecurity knowledge amassed over 25 years, the pros and cons of gen AI, how to protect data, and why compromise is key.
what-is-terraform:-everything-you-need-to-know
What is Terraform: Everything You Need to Know
Terraform is an infrastructure-as-code (IaC) solution that helps DevOps teams manage multi-cloud deployments. Learn about what is Terraform, the benefits of IaC, and how to get started.
varonis-adds-secrets-discovery-for-on-prem-and-cloud-data-stores
Varonis Adds Secrets Discovery for On-Prem and Cloud Data Stores
Varonis can help you scan your environments for rogue secrets exposed in files and code stored on-prem and in the cloud.
speed-data:-pentesting-and-proactive-threat-hunting-with-tim-callahan
Speed Data: Pentesting and Proactive Threat Hunting With Tim Callahan
Aflac CISO Tim Callahan shares his favorite aspects of cybersecurity and what challenges him the most.