Zero-day exploited right now in Palo Alto Networks' GlobalProtect gateways

Palo Alto Networks on Friday issued a critical alert for an under-attack vulnerability in the PAN-OS software used in its firewall-slash-VPN products.

The command-injection flaw, with an unwelcome top CVSS severity score of 10 out of 10, may let an unauthenticated attacker execute remote code with root privileges on an affected gateway, which to put it mildly is not ideal. It can, essentially, be exploited to take complete control of equipment and drill into victims' networks.

Updates to fully fix this severe hole are due to arrive by Sunday, April 14, we're told.

CVE-2024-3400 affects PAN-OS 10.2, PAN-OS 11.0 and PAN-OS 11.1 firewall configurations with a GlobalProtect gateway and device telemetry enabled.

Cloud firewalls, Panorama appliances, and Prisma Access are not affected, Palo Alto says.

Zero-day exploitation of this vulnerability was detected on Wednesday by cybersecurity shop Volexity, on a firewall it was monitoring for a client. After an investigation determined that the firewall had been compromised, the firm saw another customer get hit by the same intruder on Thursday.

"The threat actor, which Volexity tracks under the alias UTA0218, was able to remotely exploit the firewall device, create a reverse shell, and download further tools onto the device," the networks security management firm said in a blog post.

"The attacker focused on exporting configuration data from the devices, and then leveraging it as an entry point to move laterally within the victim organizations."

The intrusion, which begins as an attempt to install a custom Python backdoor on the firewall, appears to date back at least to March 26, 2024.

• Miscreants are exploiting enterprise tech zero days more and more, Google warns
• Mozilla fixes $100,000 Firefox zero-days following two-day hackathon
• Microsoft squashes SmartScreen security bypass bug exploited in the wild
• Ivanti commits to secure-by-design overhaul after vulnerability nightmare

Palo Alto Networks refers to the exploitation of this vulnerability as Operation MidnightEclipse, which at least is more evocative than the alphanumeric jumble UTA0218. The firewall maker says while the vulnerability is being actively exploited, only a single individual appears to be doing so at this point.

According to Volexity, "The initial persistence mechanism setup by UTA0218 involved configuring a cron job that would use wget to retrieve a payload from an attacker-controlled URL with its output being written to stdout and piped to bash for execution. The attacker used this method to deploy and execute specific commands and download reverse proxy tooling such as GOST (GO Simple Tunnel)."

Asked to comment, Palo Alto Networks said, "Our top priority is our customers' security. Upon notification of the vulnerability, we immediately provided mitigations and will provide a permanent fix shortly. We are actively notifying customers and strongly encourage them to implement the mitigations and hotfix as soon as possible."

Those mitigations include applying a GlobalProtect-specific vulnerability protection, if you're subscribed to Palo Alto's Threat Prevention service, or "temporarily disabling device telemetry until the device is upgraded to a fixed PAN-OS version. Once upgraded, device telemetry should be re-enabled on the device."

It urged customers to follow the above security advisory and thanked the Volexity researchers for alerting the company and sharing its findings. ®