Palo Alto Networks alerts of critical PAN-OS firewall software zero-day used in attacks
Take action: If you are using Palo Alto Networks PAN-OS firewall software, time to wake up your entire team, check all devices whether their version is impacted by the flaw and start disabling telemetry on the devices. If possible activate the other mitigation features, and apply the patches.
Learn More
Palo Alto Networks is warning of a critical actively exploited vulnerability in its PAN-OS firewall software. A command injection vulnerability tracked as CVE-2024-3400 (CVSS score 10) allows unauthenticated attackers to execute arbitrary commands with root privileges on vulnerable systems.
The flaw affectes versions are PAN-OS 10.2, 11.0, and 11.1 with both the GlobalProtect gateway and device telemetry features are enabled. Cloud NGFW, Panorama appliances, and Prisma Access as well as PAN OS versions 10.1 and lower are not affected.
Palo Alto Networks plans to release patches for these versions by April 14, 2024. In the meantime, recommends:
- Disabling device telemetry Once upgraded, device telemetry should be re-enabled on the device
- Enabling vulnerability protection on 'GlobalProtect Interfaces'
- If users have active 'Threat Prevention' subscription blocking the attacks by activating 'Threat ID 95187' in their system.
Exploitation activities were initially observed on April 10, with earlier unsuccessful attempts indicating that the attackers were testing the vulnerability from March 26. The attacks have escalated, with attackers deploying additional tools for lateral movement within networks, targeting credentials, and attempting to steal sensitive information.
Threat researcher Yutaka Sejiyama reported that he estimates there are 82,000 exposed devices online that may be vulnerable to CVE-2024-34000.
The Cybersecurity and Infrastructure Security Agency (CISA) has set a patching deadline for federal agencies, which means this is a very serious issue.
Update - as of 15th of April 2024 Palo Alto has started releasing hotfixes for the zero-day vulnerability.
This issue is fixed in hotfix releases of PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and in all later PAN-OS versions. Hotfixes for other commonly deployed maintenance releases will also be made available to address this issue. Please see details below for ETAs regarding the upcoming hotfixes.
PAN-OS 10.2:
- 10.2.9-h1 (Released 4/14/24)
- 10.2.8-h3 (ETA: 4/15/24)
- 10.2.7-h8 (ETA: 4/15/24)
- 10.2.6-h3 (ETA: 4/15/24)
- 10.2.5-h6 (ETA: 4/16/24)
- 10.2.3-h13 (ETA: 4/17/24)
- 10.2.1-h2 (ETA: 4/17/24)
- 10.2.2-h5 (ETA: 4/18/24)
- 10.2.0-h3 (ETA: 4/18/24)
- 10.2.4-h16 (ETA: 4/19/24)
PAN-OS 11.0:
- 11.0.4-h1 (Released 4/14/24)
- 11.0.3-h10 (ETA: 4/15/24)
- 11.0.2-h4 (ETA: 4/16/24)
- 11.0.1-h4 (ETA: 4/17/24)
- 11.0.0-h3 (ETA: 4/18/24)
PAN-OS 11.1:
- 11.1.2-h3 (Released 4/14/24)
- 11.1.1-h1 (ETA: 4/16/24)
- 11.1.0-h3 (ETA: 4/17/24)
As of 14th of April 2024, Palo Alto Networks has released patches for all versions of PAN-OS. They advise that if customers detect potential data exfiltration, such as the copying of files like 'running_config.xml' to web-accessible locations, they should update PAN-OS and conduct a private data reset to prevent misuse of device data.
In the most severe cases where there is evidence of interactive command execution by an attacker, companies should perform a factory reset along with the PAN-OS update to eliminate any backdoors or stop further data theft. However, Palo Alto warns that both the private data reset and factory reset could eliminate forensic evidence needed for further investigation.
