Palo Alto firewalls: Public exploits, rising attacks, ineffective mitigation
UPDATE: April 30, 09:30 AM ET
New story:
Palo Alto firewalls: CVE-2024-3400 exploitation and PoCs for persistence after resets/upgrades
While it initially seemed that protecting Palo Alto Network firewalls from attacks leveraging CVE-2024-3400 would be possible by disabling the devices’ telemetry, it has now been confirmed that this mitigation is ineffectual.
“Device telemetry does not need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability,” Palo Alto Networks noted on Tuesday, and said they are aware of an “increasing number of attacks that leverage the exploitation of this vulnerability.”
New findings
Last Friday, Palo Alto Networks warned about CVE-2024-3400 – a critical zero-day command injection vulnerability in its firewalls running PAN-OS v10.2, 11.0, and 11.1 with the configurations for both GlobalProtect gateway and device telemetry enabled – being exploited by well-resourced threat actors to install a backdoor and use the obtained access to move laterally in target organizations’ networks.
At the time, the company said that until hotfixes are ready, customers could mitigate the threat of exploitation by enabling specific threat signatures and disabling device telemetry.
Hotfixes started getting released on Sunday, but Palo Alto Networks confirmed on Tuesday that the latter mitigation is no longer effective.
On Wednesday, the company released new threat signatures and shared a CLI command customers can used to identify indicators of exploit activity on the device.
They also reiterated that firewalls with those specific PAN-OS versions are vulnerable if configured with GlobalProtect gateway or GlobalProtect portal (or both).
Attacks leveraging CVE-2024-3400 are escalating
On Tuesday, WatchTowr Labs released their analysis of the vulnerability and a proof-of-concept exploit, and an actively leveraged exploit has been shared by TrustedSec CTO Justin Elze.
Greynoise has started seeing exploit attempts.
Palo Alto Network customers running vulnerable firewalls should implement hotfixes as soon as possible and check for indicators of compromise.
“If you discover that your Palo Alto Network GlobalProtect firewall device is compromised, it is important to take immediate action. Make sure to not wipe or rebuild the appliance. Collecting logs, generating a tech support file, and preserving forensics artifacts (memory and disk) from the device are crucial,” Volexity researchers have advised.
But even if you find no indicators of compromise, it’s a good idea to perform these actions before applying the hotfix.
UPDATE (April 18, 2024, 09:30 a.m. ET):
“Rapid7’s analysis of this vulnerability has identified that the exploit is in fact an exploit chain, consisting of two distinct vulnerabilities: an arbitrary file creation vulnerability in the GlobalProtect web server, for which no discrete CVE has been assigned, and a command injection vulnerability in the device telemetry feature, designated as CVE-2024-3400,” Rapid7 noted.
“If device telemetry is disabled, it is still possible to leverage the file creation vulnerability; at time of writing, however, Rapid7 has not identified an alternative way to leverage the file creation vulnerability for successful exploitation. Our analysis also found that when device telemetry is enabled, a device certificate must be installed for device telemetry to successfully transmit telemetry data back to Palo Alto Networks. This transmission of data functionality is where the command injection vulnerability lies, and in our testing, the command injection vulnerability could not be triggered without a valid device certificate installed.”