Palo Alto Patches 0-Day (CVE-2024-3400) Exploited by Python Backdoor

Palo Alto Networks issues critical patches for a zero-day vulnerability (CVE-2024-3400) in their PAN-OS firewalls. Exploited by attackers to deploy Python backdoors, this flaw grants root access. Update immediately!

In a race against time, Palo Alto Networks has released patches for a critical 0-day (or zero-day) vulnerability (CVE-2024-3400) that threatened to leave firewalls exposed to cyberattacks.

According to Palo Alto Networks’ security advisory, the vulnerability was found in its PAN-OS operating system’s GlobalProtect functionality, related to the way it handled device telemetry data.

An attacker could exploit this flaw by crafting a malicious payload disguised as telemetry data. Once processed by the firewall, the payload could execute arbitrary code with root privileges, essentially giving the attacker complete control over the device.

****Which Devices Are Vulnerable?****

Appliances with GlobalProtect and device telemetry enabled are declared vulnerable. The Shodan search engine for exposed Internet of Things (IoT) devices reveals approximately 41,336 potentially impacted internet-exposed appliances of Palo Alto Networks.

SecurityWeek reports that several organizations have already fallen victim to targeting, with certain attackers endeavouring to deploy Upstyle, a fresh Python backdoor.

****Possible Dangers****

Like any other security vulnerability, this one also lets hackers exploit and establish backdoors, launch lateral attacks, steal sensitive data, and disrupt network operations. Threat actors can also create persistent access points, use the compromised firewall as a springboard, and gain access to confidential information.

Additionally, it may allow hackers to take full control of the firewall’s functionality, potentially leading to network outages or traffic manipulation.

****Detection and Patching:****

The good news is that the vulnerability was identified and patched relatively quickly. Security firm Volexity first detected the exploit in use in late March 2024, observing a threat actor UTA0218 remotely exploiting a firewall device.

The researchers also observed how the threat actor created a reverse shell, downloading additional tools, and exporting configuration data to use it as an entry point for lateral movement. Volexity swiftly alerted Palo Alto Networks, which issued security alerts and hotfixes to address the vulnerability for PAN-OS versions 10.2, 11.0, and 11.1.

Palo Alto Networks suggests that if customers can’t implement the Threat Prevention-based mitigation immediately, you can still reduce the impact of the vulnerability by temporarily turning off device telemetry until the device is updated to a PAN-OS version that addresses the issue.

“If you are unable to apply the Threat Prevention based mitigation at this time, you can still mitigate the impact of this vulnerability by temporarily disabling device telemetry until the device is upgraded to a fixed PAN-OS version. Once upgraded, device telemetry should be re-enabled on the device. If the firewalls are managed by Panorama, ensure that device telemetry is disabled in relevant templates (Panorama > Templates).”

Palo Alto Networks

****Who Was Behind the Attacks?****

As per Volexity’s blog post, the zero-day exploit was highly sophisticated and targeted specific configurations, suggesting a well-resourced state-sponsored attacker with a clear target in mind could be involved.

Initial attribution attempts point towards Lazarus Group, a notorious hacking group believed to be affiliated with North Korea and BianLian, which targets critical infrastructure organizations. Nevertheless, Palo Alto Networks has urged all users to update their PAN-OS software immediately.

1. Hackers dump login data of Fortinet VPN users in plain-text
2. Private details of Palo Alto Networks employees leaked online
3. Cisco Fixes High-Severity Code Execution, VPN Hijacking Flaws