Palo Alto Networks has warned that a critical, unpatched vulnerability in their PAN-OS firewall is being actively exploited.
CVE-2024-3400 is a critical vulnerability for Palo Alto Networks PAN-OS software — specifically impacting devices that run major versions of PAN-OS 10.2, 11.0, and 11.1.
The vulnerability allows for command injection by remote unauthenticated attackers that enable threat actors to run commands with elevated privileges on affected devices. This flaw requires no special privileges or user interaction to exploit.
CVE-2024-3400 does not affect cloud firewalls (Cloud NGFW), Panorama appliances, or Prisma Access. An overview of the impact can be seen in the table below:
This issue is estimated to be fixed in an upcoming release of PAN-OS 10.2, 11.0, 11.1, and all later PAN-OS versions by April 14, 2024.
Is CVE-2024-3400 being actively exploited in the wild?
Yes, this CVE is being actively exploited. An initial exploitation under the name Operation Midnight Eclipse has been attributed to a single threat actor.
There is high confidence that other threat actors will attempt exploitation in the future.
What does this mean for my organization?
If you are a Palo Alto Networks customer with PAN-OS, it's recommended to closely monitor your network for abnormal activity and investigate any unexpected activity. A list of known IOCs associated with exploitation attempts/post-exploitation is available here. In the interim, Palo Alto recommends the following mitigation measures:
- Customers with an active Threat Prevention subscription can block attacks related to this vulnerability by enabling Threat ID 95187
- Additionally, ensure that vulnerability protection is applied to the GlobalProtect interface to prevent exploitation on affected devices
If your organization is unable to apply the Threat Prevention mitigation, there’s an alternative.
The vulnerability only exists if both a GlobalProtect gateway is configured (Network -> GlobalProtect ->Gateways) and device telemetry is enabled (Device -> Setup -> Telemetry). Customers can mitigate the impact of this vulnerability by temporarily disabling device telemetry (and then re-enable it once the hotfix is applied).
As of April 16, 2024, Palo Alto Networks has begun issuing hotfixes to remediate this vulnerability for their various PAN-OS release versions. Check Palo Alto Networks Security Advisories to determine if a patch is available for your current PAN-OS version or an estimate for when a patch is expected if one is not yet available.
Currently, hotfixes are available for the following versions:
- 10.2.9-h1
- 10.2.8-h3
- 10.2.7-h8
- 11.0.4-h1
- 11.1.2-h3
How can Varonis Help?
With Varonis Edge, customers can protect themselves and their network security by taking the following actions:
- Monitor Varonis for alerts generated from Palo Alto infrastructure specifically or related service accounts
- Audit all activity originating from Palo Alto infrastructure to verify no abnormal device, user, or file access has occurred
- Monitor DNS requests originating from Palo Alto infrastructure to ensure no anomalous or suspicious requests have been generated
- Monitor Proxy events originating from Palo Alto infrastructure to ensure no anomalous or suspicious events have been generated
If you have our network monitoring product and are using Varonis' cloud-hosted offering, our threat research team is proactively hunting for threats. They review your Varonis logs for suspicious activity and will contact you if needed.
If you are a Palo Alto Networks customer and want assistance hunting for IOCs in PAN-OS, please reach out to our team.
Update:
-1.png)
