Main site
Classification
loopholes
tool
Geeks
Web security
system security
cyber security
wireless security
Device/Client Security
Data Security
Security management
Enterprise security
Industrial control safety
feature
headlines
Characters
Activity
video
View
recruitment
Report
Information
Blockchain security
Standards and Compliance
Container security
Public class
Official public accountEnterprise securitySina Weibo
FreeBuf.COM, the network security industry portal, publishes professional security information and technical analysis every day.
FreeBuf+ applet
Since March 26, Palo Alto Networks firewall products have been attacked by suspected state-sponsored hackers. Recently, the company disclosed more details about the vulnerabilities exploited by the hackers.
The vulnerability is tracked as CVE-2024-3400, with a CVSS score of 10, and specifically involves two flaws in the PAN-OS 10.2, PAN-OS 11.0 and PAN-OS 11.1 firewall versions of the software.
In the first flaw, the GlobalProtect service does not fully validate the session ID format before storing it. Chandan BN, senior director of product security at Palo Alto Networks, said this allows an attacker to store an empty file with a file name of choice. The second flaw is using the filename as part of the command.
It's worth noting that while neither flaw is serious enough on its own, when combined, they can lead to unauthenticated remote shell command execution.
Palo Alto Network said the attackers who exploited the vulnerability to carry out a zero-day attack implemented a two-stage attack in order to execute commands on vulnerable devices. The campaign, named Operation MidnightEclipse, involves sending a specially crafted request containing a command to be executed, which is then run through a backdoor named UPSTYLE.
In the first phase of the attack, the attacker sends a crafted shell command to GlobalProtect instead of a valid session ID, resulting in the creation of an empty file on the system with the file name named by the attacker as the embedded command; in the second phase, the timed Running a system job uses an attacker-supplied file name in the command, allowing the attacker-supplied command to execute with elevated privileges.
This allows an attacker to weaponize the vulnerability and exploit it without enabling telemetry on the device.
Currently Palo Alto Networks has listed the PAN-OS firewall system versions that need to be patched:
- PAN-OS 10.2.9-h1
- PAN-OS 10.2.8-h3
- PAN-OS 10.2.7-h8
- PAN-OS 10.2.6-h3
- PAN-OS 10.2.5-h6
- PAN-OS 10.2.4-h16
- PAN-OS 10.2.3-h13
- PAN-OS 10.2.2-h5
- PAN-OS 10.2.1-h2
- PAN-OS 10.2.0-h3
- PAN-OS 11.0.4-h1
- PAN-OS 11.0.4-h2
- PAN-OS 11.0.3-h10
- PAN-OS 11.0.2-h4
- PAN-OS 11.0.1-h4
- PAN-OS 11.0.0-h3
- PAN-OS 11.1.2-h3
- PAN-OS 11.1.1-h1
- PAN-OS 11.1.0-h3
Given that the CVE-2024-3400 vulnerability is being actively abused and the availability of proof-of-concept (PoC) exploit code, users are advised to take steps to patch as soon as possible to protect against potential threats.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also added the vulnerability to its Known Exploitable Vulnerabilities (KEV) catalog, ordering federal agencies to secure their devices by April 19, 2024.
According to information shared by the Shadowserver Foundation, approximately 22,542 Internet-exposed firewall devices may be vulnerable to this vulnerability. As of April 18, 2024, the majority of devices are located in the United States, Japan, India, Germany, the United Kingdom, Canada, Australia, France, and China.
Reference sources:
Palo Alto Networks Discloses More Details on Critical PAN-OS Flaw Under Attack
This article is Independent point of view, no reproduction without permission, please contact FreeBuf customer service XiaoBee for authorization, WeChat: freebee2022
GIPHY App Key not set. Please check settings