Palo Alto Networks has shared remediation steering for a not too long ago disclosed essential safety flaw impacting PAN-OS that has come beneath energetic exploitation.
The vulnerability, tracked as CVE-2024-3400 (CVSS rating: 10.0), might be weaponized to acquire unauthenticated distant shell command execution on prone units. It has been addressed in a number of variations of PAN-OS 10.2.x, 11.0.x, and 11.1.x.
There may be proof to counsel that the problem has been exploited as a zero-day since at the least March 26, 2024, by a menace cluster tracked as UTA0218.
The exercise, codenamed Operation MidnightEclipse, entails the usage of the flaw to drop a Python-based backdoor referred to as UPSTYLE that is able to executing instructions transmitted through specifically crafted requests.
The intrusions haven’t been linked to a identified menace actor or group, but it surely’s suspected to be a state-backed hacking crew given the tradecraft and the victimology noticed.
The newest remediation recommendation supplied by Palo Alto Networks relies on the extent of compromise –
- Stage 0 Probe: Unsuccessful exploitation try – Replace to the most recent offered hotfix
- Stage 1 Check: Proof of vulnerability being examined on the gadget, together with the creation of an empty file on the firewall however no execution of unauthorized instructions – Replace to the most recent offered hotfix
- Stage 2 Potential Exfiltration: Indicators the place recordsdata like “running_config.xml” are copied to a location that’s accessible through internet requests – Replace to the most recent offered hotfix and carry out a Personal Knowledge Reset
- Stage 3 Interactive entry: Proof of interactive command execution, such because the introduction of backdoors and different malicious code – Replace to the most recent offered hotfix and carry out a Manufacturing facility Reset
“Performing a personal knowledge reset eliminates dangers of potential misuse of gadget knowledge,” Palo Alto Networks mentioned. “A manufacturing facility reset is really useful resulting from proof of extra invasive menace actor exercise.”
