Palo Alto Networks, a leading cybersecurity firm, has initiated critical updates to address a severe zero-day vulnerability in its firewall operating system, PAN-OS. The vulnerability, identified as CVE-2024-3400, was discovered to be exploited by unauthenticated attackers to gain root access through command injection in the GlobalProtect gateway or portal when device telemetry is enabled.
Details of the Vulnerability and Affected Systems
The vulnerability affects PAN-OS versions 10.2, 11.0, and 11.1 and does not impact cloud firewalls (Cloud NGFW), Panorama appliances, or Prisma Access. Palo Alto Networks and its security intelligence team, Unit 42, have been actively collaborating with external researchers, partners, and customers to transparently and rapidly share information regarding the vulnerability.
Ongoing Malicious Exploitation and Security Responses
Known as Operation MidnightEclipse, the initial exploitations of CVE-2024-3400 have prompted Palo Alto Networks to issue hotfixes for the impacted PAN-OS versions—specifically 10.2.9-h1, 11.0.4-h1, and 11.1.2-h3—and future maintenance releases. The exploitation activities included the deployment of the UPSTYLE backdoor, enabling attackers to breach networks and execute unauthorized commands.
Unit 42 Managed Threat Hunting and Incident Response
The Unit 42 Managed Threat Hunting team has deployed XQL queries to search for signs of exploitation across customer environments using Cortex XDR. This proactive measure helps to detect any ongoing unauthorized activities related to CVE-2024-3400 and provides insights into the scope of the attack.
Interim Guidance and Mitigation Measures
Until affected systems are updated with the hotfixes, Palo Alto Networks advises disabling device telemetry or employing ‘Threat ID 95187’ for users with an active Threat Prevention subscription. This ID helps block attacks by applying vulnerability protection specifically to the GlobalProtect interface, preventing exploitation.
Technical Details of CVE-2024-3400
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-3400 to its Known Exploited Vulnerabilities (KEV) catalog, mandating federal agencies to apply the mitigation rule or disable telemetry by April 19th.
The vulnerability stems from a command injection flaw in the GlobalProtect feature of PAN-OS, allowing unauthenticated external attackers to run arbitrary code with root privileges. The CVSS 3.x score for this vulnerability is a critical 10.0, with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H, indicating network exposure, low attack complexity, no privileges required, no user interaction, and high impacts on confidentiality, integrity, and availability.
Conclusion and Ongoing Security Measures
Palo Alto Networks remains committed to safeguarding its customers against evolving cyber threats and will continue to update its security measures in response to new information regarding CVE-2024-3400. Customers are urged to monitor their systems for unusual activity and update their defenses in accordance with the latest advisories from Palo Alto Networks and other trusted security resources.
For immediate concerns, customers can contact the Unit 42 Incident Response team to assist with potential compromises or proactive security assessments, ensuring robust protection against this critical vulnerability and others.
Details and advisories regarding CVE-2024-3400 are available through Palo Alto Networks and third-party sources:
- Palo Alto Networks: CVE-2024-3400 Vendor Advisory
- Unit 42 Palo Alto Networks: Exploit Vendor Advisory
- Volexity: Third Party Advisory on Zero-Day Exploitation
How Can Netizen Help?
Netizen ensures that security gets built-in and not bolted-on. Providing advanced solutions to protect critical IT infrastructure such as the popular “CISO-as-a-Service” wherein companies can leverage the expertise of executive-level cybersecurity professionals without having to bear the cost of employing them full time.
We also offer compliance support, vulnerability assessments, penetration testing, and more security-related services for businesses of any size and type.
Additionally, Netizen offers an automated and affordable assessment tool that continuously scans systems, websites, applications, and networks to uncover issues. Vulnerability data is then securely analyzed and presented through an easy-to-interpret dashboard to yield actionable risk and compliance information for audiences ranging from IT professionals to executive managers.
Netizen is an ISO 27001:2013 (Information Security Management), ISO 9001:2015, and CMMI V 2.0 Level 3 certified company. We are a proud Service-Disabled Veteran-Owned Small Business that is recognized by the U.S. Department of Labor for hiring and retention of military veterans.
Questions or concerns? Feel free to reach out to us any time –