Headline
Siemens Working on Fix for Device Affected by Palo Alto Firewall Bug
Growing attacks targeting the flaw prompted CISA to include it in the known exploited vulnerabilities catalog earlier this month.
Source: HJBC via Shutterstock
Siemens is urging organizations using its Ruggedcom APE1808 devices configured with Palo Alto Networks (PAN) Virtual NGFW to implement workarounds for a maximum severity zero-day bug that PAN recently disclosed in its next-gen firewall product.
The command injection vulnerability, identified as CVE-2024-3400, affects multiple versions of PAN-OS firewalls when certain features are enabled on them. An attacker has been exploiting the flaw to deploy a novel Python backdoor on affected firewalls.
Actively Exploited
PAN patched the flaw after researchers from Volexity discovered the vulnerability and reported it to the security vendor earlier this month. The US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-3400 to its catalog of known exploited vulnerabilities following reports of multiple groups attacking the flaw.
Palo Alto Networks itself has said it is aware of a growing number of attacks leveraging CVE-2024-3400 and has warned about proof-of-concept code for the flaw being publicly available.
According to Siemens, its Ruggedcom APE1808 product — commonly deployed as edge devices in industrial control environments — is vulnerable to the issue. Siemens described all versions of the product with PAN Virtual NGFW configured with the GlobalProtect gateway or GlobalProtect portal — or both — as affected by the vulnerability.
In an advisory, Siemens said it is working on updates for the bug and recommended specific countermeasures that customers should take in the meantime to mitigate risk. The measures include using specific threat IDs that PAN has released to block attacks targeting the vulnerability. Siemens’ advisory pointed to PAN’s recommendation to disable GlobalProtect gateway and GlobalProtect portal, and reminded customers that the features are already disabled by default in Ruggedcom APE1808 deployment environments.
PAN initially also recommended organizations disable device telemetry to protect against attacks targeting the flaw. The security vendor later withdrew that advice, citing ineffectiveness. “Device telemetry does not need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability,” the company noted.
Siemens urged customers, as a general rule, to protect network access to devices in industrial control environments with appropriate mechanisms, saying, “In order to operate the devices in a protected IT environment, Siemens recommends to configure the environment according to Siemens’ operational guidelines for Industrial Security.”
The Shadowserver Foundation, which monitors the Internet for threat related traffic, identified some 5,850 vulnerable instances of PAN’s NGFW exposed and accessible over the Internet as of April 22. Some 2,360 of the vulnerable instances appear to be located in North America; Asia accounted for the next highest number with around 1,800 exposed instances.
Internet-Exposed Devices Remain a Critical Risk for ICS/OT
It’s unclear how many of those exposed instances are in industrial control system (ICS) and operational technology (OT) settings. But generally, Internet exposure continues to be a major issue in ICS and OT environments. A new investigation by Forescout uncovered nearly 110,000 Internet-facing ICS and OT systems worldwide. The US led the way, accounting for 27% of the exposed instances. However, that number was significantly lower compared with a few years ago. In contrast, Forescout found a sharp increase in the number of Internet-exposed ICS/OT equipment in other countries, including Spain, Italy, France, Germany, and Russia.
“Opportunistic attackers are increasingly abusing this exposure at scale — sometimes with a very lax targeting rationale driven by trends, such as current events, copycat behavior, or the emergencies found in new, off-the-shelf capabilities or hacking guides,” Forescout said. The security vendor assessed that the exposure had to do at least in part with systems integrators delivering packaged bundles with components in them that inadvertently expose ICS and OT systems to the Internet. “In all likeliness,” Forescout said, “most asset owners are unaware these packaged units contain exposed OT devices.”
About the Author(s)
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master’s degree in Statistics and lives in Naperville, Ill.
Related news
U.S. cybersecurity and intelligence agencies have called out an Iranian hacking group for breaching multiple organizations across the country and coordinating with affiliates to deliver ransomware. The activity has been linked to a threat actor dubbed Pioneer Kitten, which is also known as Fox Kitten, Lemon Sandstorm (formerly Rubidium), Parisite, and UNC757, which it described as connected to
Read the full article for key points from Intruder’s VP of Product, Andy Hornegold’s recent talk on exposure management. If you’d like to hear Andy’s insights first-hand, watch Intruder’s on-demand webinar. To learn more about reducing your attack surface, reach out to their team today. Attack surface management vs exposure management Attack surface management (ASM) is the ongoing
Unknown threat actors have been observed leveraging open-source tools as part of a suspected cyber espionage campaign targeting global government and private sector organizations. Recorded Future's Insikt Group is tracking the activity under the temporary moniker TAG-100, noting that the adversary likely compromised organizations in at least ten countries across Africa, Asia, North America,
By Waqas The Llama Drama vulnerability in the Llama-cpp-Python package exposes AI models to remote code execution (RCE) attacks, enabling attackers to steal data. Currently, over 6,000 models are affected by this vulnerability. This is a post from HackRead.com Read the original post: AI Python Package Flaw ‘Llama Drama’ Threatens Software Supply Chain
Though PAN originally described the attacks exploiting the vulnerability as being limited, they are increasingly growing in volume, with more exploits disclosed by outside parties.
This Metasploit module exploits two vulnerabilities in Palo Alto Networks PAN-OS that allow an unauthenticated attacker to create arbitrarily named files and execute shell commands. Configuration requirements are PAN-OS with GlobalProtect Gateway or GlobalProtect Portal enabled and telemetry collection on (default). Multiple versions are affected. Payloads may take up to one hour to execute, depending on how often the telemetry service is set to run.
Palo Alto PAN-OS versions prior to 11.1.2-h3 command injection and arbitrary file creation exploit.
By Cyber Newswire Zero Knowledge Networking vendor shrugs off firewall flaw! This is a post from HackRead.com Read the original post: Xiid SealedTunnel: Unfazed by Yet Another Critical Firewall Vulnerability (CVE-2024-3400)
By cybernewswire Las Vegas, United States, April 17th, 2024, CyberNewsWire Zero Knowledge Networking vendor shrugs off firewall flaw In the… This is a post from HackRead.com Read the original post: Xiid SealedTunnel: Unfazed by Yet Another Critical Firewall Vulnerability (CVE-2024-3400)
Palo Alto OS was recently hit by a command injection zero day attack. These are exploitation details related to the zero day.
A sophisticated threat actor is leveraging the bug to deploy a Python backdoor for stealing data and executing other malicious actions.
By Deeba Ahmed Firewall on fire! This is a post from HackRead.com Read the original post: Palo Alto Patches 0-Day (CVE-2024-3400) Exploited by Python Backdoor