A critical zero-day vulnerability in Palo Alto networks Pan-OS firewall has received an emergency fix following active exploitation. The vulnerability lets an attacker execute arbitrary codes on vulnerable devices under specific conditions. Given the active exploitation of the flaw, users must rush to update their devices with the hotfixes to prevent the threat.
Palo Alto Fixed Actively Exploited Pan-OS Zero-Day Vulnerability
Earlier this week, Palo Alto warned users about a critical severity vulnerability that it classified as a zero-day. The vulnerability affected Palo Alto Pan-OS firewalls, putting thousands of vulnerable systems and the organization using them at risk.
Specifically, the vulnerability, CVE-2024-3400, allowed root access to an adversary if exploited under specific configurations. It impacts PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal or both. Exploiting the flaw allows code execution attacks from an unauthenticated attacker.
Palo Alto Networks confirmed that the Cloud NGFW, Panorama appliances, and Prisma Access devices remain unaffected by the flaw. The tech giant has shared a detailed list of the affected and unaffected devices in its advisory.
This vulnerability first caught the attention of security researchers from Volexity, who traced back the zero-day exploitation in the wild to March 2024. The firm patched the vulnerability with these hotfixes for vulnerable software versions: PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and later.
While they initially recommended disabling device telemetry as a secondary mitigation, the firm later clarified that the mitigation no longer worked. Hence, patching the devices with the hotfixes is the only viable option for the users to protect their systems.
PoC Exploits Deployed Publicly
While the vulnerability initially emerged as a zero-day, it eventually became more severe as the PoC exploits started appearing online publicly. Consequently, it further risks vulnerable devices, increasing the spread and frequency of malicious exploits and large-scale attacks.
Shortly after the emergency patches were released, watchTowr Labs dropped their PoC exploit, emphasizing the need for swift device patching. Then, TrustedSec CTO Justin Elze also shared another exploit via an X post that he found in the wild.
Since it's out there now this is what I caught in wild CVE-2024-3400
GET /global-protect/login.esp HTTP/1.1 Host: X User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36 Accept-Encoding: gzip, deflate, br…
— Justin Elze (@HackingLZ) April 16, 2024
Given the availability of these PoC exploits, organizations may now analyze their systems swiftly for vulnerabilities. Simultaneously, users must rush to update the vulnerable devices as soon as possible.
Let us know your thoughts in the comments.