A recent discovery, on April 10 2024, by a research group has identified zero-day exploitation of a vulnerability found within the GlobalProtect feature of Palo Alto Networks PAN-OS at one of its network security monitoring (NSM) customers, recently published by CISA in CISA KEV. Check this article on the details for CVE-2024-3400 and how to track remediation.
The threat actor, exploiting the vulnerability, now named under the alias UTA0218, was able to remotely exploit the firewall device, create a reverse shell, and download further tools onto the device. This is an entry point for future exploitation and penetration of the network.
Image timeline AI generated
Despite being present in CISA and not in KEV the vulnerability is currently unpatched. Patches are expected to be available by Sunday, April 14, 2024.
Note: Palo Alto Networks customers are only vulnerable if they are using PAN-OS 10.2, PAN-OS 11.0, and/or PAN-OS 11.1 firewalls with the configurations for both GlobalProtect gateway and device telemetry enabled.
CISA in CISA KEV has promptly released a statement: https://www.cisa.gov/news-events/alerts/2024/04/12/palo-alto-networks-releases-guidance-vulnerability-pan-os-cve-2024-3400
Get a free assessment and remediation guidance
Patch/Fix CVE-2024-3400 for Palo Alto
Palo Alto releases a patch for PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and in all later PAN-OS versions.
Hotfixes for other commonly deployed maintenance releases will also be available to address this issue. Please see the details below for ETAs regarding the upcoming hotfixes.PAN-OS 10.2:
- 10.2.9-h1 (Released 4/14/24)- 10.2.8-h3 (ETA: 4/15/24)- 10.2.7-h8 (ETA: 4/15/24)- 10.2.6-h3 (ETA: 4/15/24)- 10.2.5-h6 (ETA: 4/16/24)- 10.2.3-h13 (ETA: 4/17/24)- 10.2.1-h2 (ETA: 4/17/24)- 10.2.2-h5 (ETA: 4/18/24)- 10.2.0-h3 (ETA: 4/18/24)- 10.2.4-h16 (ETA: 4/19/24)PAN-OS 11.0:- 11.0.4-h1 (Released 4/14/24)- 11.0.3-h10 (ETA: 4/15/24)- 11.0.2-h4 (ETA: 4/16/24)- 11.0.1-h4 (ETA: 4/17/24)- 11.0.0-h3 (ETA: 4/18/24)PAN-OS 11.1:- 11.1.2-h3 (Released 4/14/24)- 11.1.1-h1 (ETA: 4/16/24)- 11.1.0-h3 (ETA: 4/17/24)
Workaround for CVE-2024-3400 by Palo Alto
OPT 1 – Enable threat prevention
Palo Alto customer that have Threat Prevention subscriptions can block attacks for this vulnerability by enabling Threat ID 95187 (introduced in Applications and Threats content version 8833-8682).
After enabling Threat ID 95187, ensure that vulnerability protection has been applied to their GlobalProtect interface to prevent exploitation of this issue on their device. https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/ta-p/340184 for more information.
If you are unable to apply the Threat Prevention based mitigation at this time, you can still mitigate the impact of this vulnerability by temporarily disabling device telemetry until the device is upgraded to a fixed PAN-OS version. Once upgraded, device telemetry should be re-enabled on the device.
Option 2 – Disable the feature
Understanding CVE-2024-3400 and exploitation analysis
CVE-2024-3400 represents a critical unauthenticated remote code execution flaw impacting GlobalProtect within select versions of Palo Alto Networks’ PAN-OS. This command injection vulnerability demands no special conditions for execution, offering a low-barrier route and operating with root-level privileges, the highest access within a system.
Distribution of palo alto potentially vulnerable firewalls
This severe vulnerability allows attackers to execute arbitrary code with root privileges without requiring user interaction or any authentication, earning it a CVSS score of 10.0—indicating its critical nature. As per the timeline and IoC, there is evidence of exploitation even if the EPSS values are still low and there is no mass evidence of exploitation. Currently, there are 514K Palo Alto firewalls globally exposed with presence from United States, India and China
To get the latest update, those are the strings to search
Shodan (41,662): http.html_hash:-1303565546
Censys (41,163): services.http.response.body_hash=”sha1:28f1cf539f855fff3400f6199f8912908f51e1e1″
The current distribution might include several honeypots.
- United States17,062
- United Kingdom1,583
- Canada1,445
- Germany1,434
- India1,178
Currently, there is evidence of exploitation at scale with new appliance being discovered
Check out the following for full details : https://dashboard.shadowserver.org/statistics/iot-devices/map/?day=2024-04-15&vendor=palo+alto+networks&model=globalprotect&geo=all&data_set=count&scale=log
Exploit Details and Detection Challenges of CVE-2024-3400
The exploit for CVE-2024-3400 operates through a straightforward XML RPC request that embeds malicious code within an XML tag, specifically
<cmd code="ping">OS command exploit is there</cmd>
This attack method underscores the need for robust API security, campaign management and injection remediation as defence in depth techniques. This vulnerability can circumvent traditional defenses like Web Application Firewalls (WAF) and Intrusion Prevention Systems (IPS) through sophisticated XML obfuscation techniques.
For entities deploying Palo Alto Networks’ PAN-OS, it’s essential to understand that while interactions with the /api endpoint may be visible in system logs, the exploit’s payload hidden within the XML body remains unlogged in standard access.log or other log files. This gap highlights the vital importance of integrating a specialized API security solution to monitor and safeguard these entry points effectively.
Given the intricate nature of these security challenges, network administrators must expand their monitoring to include a comprehensive analysis of all API traffic, with a particular emphasis on XML data, which might not usually be recorded. Adopting an advanced API security system is imperative to provide the enhanced level of oversight necessary to identify and neutralize such concealed exploits efficiently. This approach not only strengthens security protocols but also bolsters your organization’s defence against increasingly sophisticated cyber threats.
Credit Volexity exploitation
GitHub’s Response to CVE-2024-3400 exploits
Aside from the direct evidence of exploitation for CVE-2024-3400, GitHub has actively started to remove repositories containing exploits and proof-of-concept (POC) code related to this vulnerability. An example of such swift action can be seen with the removal of one of the first exploits published for this issue, available at https://github.com/DrewskyDev/CVE-2024-3400, which was uploaded on April 12th. Despite GitHub’s efforts to curb the spread of this exploit, numerous other resources and platforms have already distributed this POC, indicating rapid dissemination across the cyber community.
Evidence of Exploitation for CVE-2024-3400
Evidence from security firms like Volexity has shown active exploitation of CVE-2024-3400. Attackers have been observed deploying a custom Python backdoor known as UPSTYLE and utilizing the vulnerability to establish a reverse shell, exfiltrate sensitive data, and move laterally within networks. The existence of zero-byte files on compromised devices serves as an initial indicator of exploitation, highlighting the attackers’ attempts to test and validate their access.
YARA Rules for Detection CVE-2024-3400
The cybersecurity community has developed YARA rules to aid in the detection of CVE-2024-3400 exploits. These rules are designed to scan systems for signs of the UPSTYLE backdoor and other malicious artifacts associated with the exploitation. For instance, a YARA rule may look for specific binary patterns or metadata within files that match the characteristics of the malware used in the attacks.
Scheduling Campaigns for CVE-2024-3400
Unified Vulnerability management (UVM) and/or Cyber Attack Surface management platforms (CTEM) like the ASPM platform enable organizations to schedule regular scanning campaigns focusing on specific vulnerabilities like CVE-2024-3400. These campaigns are designed to detect any attempts to exploit the vulnerability, ensuring that all systems are consistently monitored and protected. By leveraging these scheduled campaigns, organizations can proactively manage their security posture, adapting to new threats as they arise.
Indicator of Compromise for CVE-2024-3400
| Name(s) | update.py |
| Size | 5.1KB (5187 Bytes) |
| File Type | text/plain |
| MD5 | 0c1554888ce9ed0da1583dbdf7b31651 |
| SHA1 | 988fc0d23e6e30c2c46ccec9bbff50b7453b8ba9 |
| SHA256 | 3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac |
| VirusTotal First Submitted | N/A |
Yara rules and another indicator of compromise are available at CVE-2024-3400
How Phoenix Security ASPM and UVM Can Help Identify and schedule a campaign for CVE-2024-3400 Palo alto critical vulnerability
Phoenix Security helps organizations identify and trace which systems are compromised with vulnerabilities, understanding the relation between code and the cloud. The complexity of this vulnerability derives from the widespread of implementation as well as 3rd party suppliers that might be affected by it. Unified Vulnerability Management and ASPM tools can scan the application portfolio to identify instances of vulnerable Linux and which version is exploitable, mapping out where it is deployed across the organization.
Phoenix campaigns in ASPM and in the Unified Vulnerability Management UVM module allow you to address CVE-2024-3400 in bulk with other.
Import vulnerabilities or scan your system externally, leveraging the ASPM and UVM external attack surface to pinpoint all instances of the affected PAN-OS versions—10.2, 11.0, and 11.1. Its deep integration capabilities enable it to interface seamlessly with existing network architecture, providing a comprehensive audit of systems using the GlobalProtect gateway with device telemetry features enabled.
Prioritizing Exposed Systems:
With the inherent capability to assess exposure levels, Phoenix prioritizes remediation efforts based on risk and exposure. More exposed systems—such as those facing the internet or containing sensitive data—are bumped up in the remediation queue, ensuring that the most vulnerable assets are secured first.
Prioritize and Structure Remediation Campaign addressing CVE-2024-3400 in bulk.
Streamlined Remediation:
Tracking Remediation:
Phoenix’s real-time ASPM and UVM dashboard offers organizations a bird’s-eye view of the remediation process. It tracks the progress of patch deployments and the status of applied workarounds, ensuring that IT teams are informed at every step. Phoenix’s granular reporting enables organizations to monitor which systems are secured and which still require attention.
