Palo Alto Networks PAN-OS firewalls have faced a new wave of exploitation attempts following the disclosure of CVE-2024-3400 on April 12.
Unit 42, Palo Alto Networks’ threat intelligence team, updated its threat brief Friday to include information on the current scope of attacks targeting the critical command injection vulnerability.
The vulnerability, which lies in the PAN-OS GlobalProtect feature and has a maximum CVSS score of 10, originally came under attack as a zero-day by a suspected state-sponsored actor known as UTA0218, Volexity discovered.
Unit 42 now says it is aware of “an increasing number of attacks” following the publication of proof-of-concept exploits for CVE-2024-3400 last week. Additionally, attacks seemingly unrelated to the original UTA0218 campaign have been detected.
Meanwhile, approximately 6,200 GlobalProtect instances remained vulnerable to CVE-2024-3400 as of April 21, according to data from security organization Shadowserver. These instances were confirmed by Shadowserver to be vulnerable based on the “existence of files left behind by exploits.”
The PAN-OS GlobalProtect vulnerability was fixed with the releases of PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1 and PAN-OS 11.1.2-h3 on April 14. Additional hotfixes for commonly used maintenance releases were also rolled out between April 15 and April 18.
Palo Alto Networks said in a blog post Friday that Threat Prevention customers can use Threat IDs 95187, 95189 and 95191 to block attacks targeting the vulnerability with “100% accuracy,” and that 90% of susceptible PAN-OS devices are now protected.
The company previously said disabling telemetry was a mitigation for the vulnerability, but says this no longer guarantees protection due to the discovery of potential exploits that do not require telemetry to be enabled for a successful attack.
How CVE-2024-3400’s dual flaws enable command execution
Palo Alto Networks’ latest blog post revealed more information about the nature of CVE-2024-3400, specifically that exploiting it involves two stages chaining two flaws in the GlobalProtect feature.
The first flaw involves insufficient validation of session IDs, which allows an attacker to send a shell command instead of a valid session ID to GlobalProtect. An attacker can leverage this to create an empty file on the victim’s system that includes an embedded command as the file name.
The second flaw involves a scheduled cron job within GlobalProtect executing the file name command with elevated privileges. Palo Alto Networks fixed this bug by rewriting the code involved using defensive programming techniques.
The company noted that successful exploitation of the first bug does not necessary result in command execution, as the empty file itself does not damage the firewall.
In its assessment of the current scope of attacks, Unit 42 noted the vast majority of attacks were unsuccessful exploitation attempts or successful creation of an empty file without command execution. A “very limited” number of detected attacks involved successful interactive command execution, the team said in its brief.
PoC exploits for CVE-2024-3400 were published by watchTowr and Rapid7 on April 16. Cybersecurity intelligence platform GreyNoise has detected 22 malicious IP addresses targeting the vulnerability since its disclosure, with the most unique IPs (11) detected on April 17.
The FAQ in Palo Alto Networks’ updated advisory provides a full list of affected and unaffected PAN-OS versions as well as information on how to check devices for exploit activity.