Updated April 15, 15:50 BST.
A full-fat CVSS 10 vulnerability in Palo Alto Networks PAN-OS lets a remote and unauthenticated attacker get root privileges on the firewall.
The Palo Alto Networks vulnerability has been allocated CVE-2024-3400. It has been reported exploited in the wild at “multiple customers" – with attackers deploying novel Python-based backdoors after the attack.
As of April 15, over 40,000 boxes appeared to be publicly exposed and detailed analysis of the vulnerability, if not a full POC, was starting to emerge.
The vulnerability affects PAN-OS 10.2, 11.0 and 11.1 firewalls with the configurations for both GlobalProtect gateway and device telemetry enabled, Palo Alto Networks said on April 12.
"Specific PAN-OS versions and distinct feature configurations of firewall VMs deployed and managed by customers in the cloud are impacted" it added.
Fixes starting landing on April 14.
CVE-2024-3400 was identified by security firm Volexity, which said attackers are using Palo Alto Networks' firewalls "as an entry point to move laterally within the victim organizations." Successful exploitation "at multiple other customers and organizations" dates back to March 26, it said.
See also: The slow demise of the VPN? 5 lessons from DoD's Zero Trust framework
Volexity’s President Steven Adair posted on X on April 12: “We have seen limited exploitation but impact at multiple customers."
His security researchers added: "In one instance of successful compromise, a highly privileged service account used by the Palo Alto Networks firewall device was used by the attacker to pivot into the internal network via SMB and WinRM. The targeted data included the Active Directory database (ntds.dit), key data (DPAPI) and Windows event logs (Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx).
"In addition to Windows-related data, the attacker also stole Login Data, Cookies, and Local State data for Chrome and Microsoft Edge from specific targets. With this data, the attacker was able to grab the browser master key and decrypt sensitive data, such as stored credentials."
Volexity has more details here and YARA rules here.
A quick mitigation for CVE-2024-3400 is “temporarily disabling device telemetry until the device is upgraded to a fixed PAN-OS version,” Palo Alto Networks said.
“Customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 95187,” it added. Guidance here.
