Skip to main content
close search
site logo
Dive Brief

Palo Alto Networks warns firewall exploits are spreading

Attempted exploits and attacks linked to the zero-day vulnerability, which has a CVSS of 10, grew after proof of concepts were released.

Published April 18, 2024
Matt Kapko's headshot
Senior Reporter
Rendering of digital data code in safety security technology concept.
iStock/Getty Images Plus via Getty Images

Dive Brief:

  • Palo Alto Networks and security researchers said a growing number of attackers are targeting a command injection vulnerability in the PAN-OS operating system, which powers the security vendor’s firewall products. 
  • “Palo Alto Networks is aware of an increasing number of attacks that leverage the exploitation of this vulnerability,” the company’s Unit 42 threat intelligence team said in a Tuesday update on its original threat brief. The vendor hasn’t disclosed how many devices are actively exploited, but said it observed 20 additional IP addresses attempting to exploit CVE-2024-3400.
  • Since releasing the initial advisory on Friday, the company expanded the range of PAN-OS versions that are impacted by the CVE and retracted a secondary mitigation action. “Disabling telemetry is no longer an effective mitigation. Device telemetry does not need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability,” the company said in an update.

Dive Insight:

The expanded group of Palo Alto Networks’ devices affected by the vulnerability, and accelerated pace of attempted exploits and attacks, occurred after multiple third parties publicly disclosed proof of concepts for the CVE.

More than 156,000 instances of affected Palo Alto Networks devices are publicly connected to the internet and potentially exposed to exploits, according to Shadowserver Foundation data. It’s unknown how many of those devices are patched.

CVE-2024-3400 allows an unauthenticated attacker to execute arbitrary code with root privileges and impacts the GlobalProtect gateway or portal VPN feature on some PAN-OS devices. The Cybersecurity and Infrastructure Security Agency added CVE-2024-3400 to its known exploited vulnerabilities catalog on Friday.

Palo Alto Networks assigned the vulnerability a CVSS score of 10, the maximum severity of a vulnerability. The company issued initial patches for some of the impacted devices Sunday. The company is slating the release of patches for older versions of affected PAN-OS devices Thursday and Friday.

“Upon learning of the vulnerability, we immediately notified affected customers and informed them of a hotfix that fully addresses the issue,” a Palo Alto Networks spokesperson said via email. “We strongly recommend customers apply it as soon as possible.”

Rapid7 researchers tested the patch on PAN-OS 10.2.9, one of the affected versions of the OS, and it successfully prevented exploitation, said Caitlin Condon, director of vulnerability intelligence at Rapid7. The firm has not observed active exploitation of the vulnerability in real-world environments.

Threat intelligence firm Volexity, which initially discovered the zero-day exploits on April 10, later determined successful exploitation across multiple customer environments began as early as March 26.

Palo Alto Networks attributed the zero-day exploits to a nation-state affiliated group it identifies as Operation MidnightEclipse, but there’s no clear link between that group and the IP addresses and other indicators associated with additional exploit attempts, the company said.

The exploit is also linked to a second, yet-to-be designated vulnerability, according to Rapid7 research.

“Rapid7’s analysis of this vulnerability has identified that the exploit is in fact an exploit chain, consisting of two distinct vulnerabilities: an arbitrary file creation vulnerability in the GlobalProtect web server, for which no discrete CVE has been assigned, and a command injection vulnerability in the device telemetry feature, designated as CVE-2024-3400,” Rapid7 researchers said in a Tuesday blog post.

GreyNoise researchers said they made a similar discovery Wednesday and concluded, “exploitation of CVE-2024-3400 is only possible with the utilization of the currently untracked CVE vulnerabilities that allow for directory traversal and arbitrary filename write.”

GreyNoise data shows three attempted exploits of CVE-2024-3400 on Tuesday and 11 exploit attempts on Thursday.

The exploits and resulting exposure marks yet another string of attacks targeting network devices and security hardware in enterprise environments. Financially-motivated and nation-state linked attackers widely exploited vulnerabilities in devices sold by Citrix, Ivanti and Barracuda during the last year.

Editors' picks

Company Announcements

View all | Post a press release
Nile Adds Industry’s First Campus Zero Trust Delivered As a Service
From Nile
November 21, 2024
DigiCert Unveils 2025 Security Predictions
From DigiCert
November 21, 2024
Fathom5’s ARIA Technology Joins NSIN Propel Maritime Digital Defense Accelerator
From Fathom5
November 18, 2024
TrustNet Named 2024’s Best Compliance Advisory and Audit Firm at CDM’s Annual Top InfoSec Inno…
From TrustNet
November 06, 2024
Editors' picks
Latest in Vulnerability
image/svg+xml
Industry Dive is an Informa business
© 2024 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell