27.4.24 Vulnerebility The Hacker News
Palo Alto Networks Outlines Remediation for Critical PAN-OS Flaw Under Attack
27.4.24 Vulnerebility The Hacker News
Palo Alto Networks has shared remediation guidance for a recently disclosed critical security flaw impacting PAN-OS that has come under active exploitation.
The vulnerability, tracked as CVE-2024-3400 (CVSS score: 10.0), could be weaponized to obtain unauthenticated remote shell command execution on susceptible devices. It has been addressed in multiple versions of PAN-OS 10.2.x, 11.0.x, and 11.1.x.
There is evidence to suggest that the issue has been exploited as a zero-day since at least March 26, 2024, by a threat cluster tracked as UTA0218.
The activity, codenamed Operation MidnightEclipse, entails the use of the flaw to drop a Python-based backdoor called UPSTYLE that's capable of executing commands transmitted via specially crafted requests.
The intrusions have not been linked to a known threat actor or group, but it's suspected to be a state-backed hacking crew given the tradecraft and the victimology observed.
The latest remediation advice offered by Palo Alto Networks is based on the extent of compromise -
Level 0 Probe: Unsuccessful exploitation attempt - Update to the latest provided hotfix
Level 1 Test: Evidence of vulnerability being tested on the device, including the creation of an empty file on the firewall but no execution of unauthorized commands - Update to the latest provided hotfix
Level 2 Potential Exfiltration: Signs where files like "running_config.xml" are copied to a location that is accessible via web requests - Update to the latest provided hotfix and perform a Private Data Reset
Level 3 Interactive access: Evidence of interactive command execution, such as the introduction of backdoors and other malicious code - Update to the latest provided hotfix and perform a Factory Reset
"Performing a private data reset eliminates risks of potential misuse of device data," Palo Alto Networks said. "A factory reset is recommended due to evidence of more invasive threat actor activity."