On April 12, 2024, Palo Alto Networks published a security advisory detailing an actively exploited maximum severity vulnerability (CVE-2024-3400, CVSS: 10.0) affecting the GlobalProtect feature of PAN-OS. This vulnerability affects PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls when configurations for both GlobalProtect gateway and device telemetry are enabled. An unauthenticated remote threat actor can exploit this vulnerability to execute arbitrary code with root privileges on the firewall.
CVE-2024-3400 does not impact Cloud NGFW, Panorama appliances, or Prisma Access, nor other PAN-OS versions. Palo Alto Networks is currently in the process of developing patches for the affected versions of PAN-OS which are expected to release by April 14, 2024. In the meantime, they have provided several recommended actions and workarounds to mitigate potential risks.
This vulnerability was identified as a zero-day by Volexity, which during its investigation, discovered the threat actor, UTA0218, installing a custom Python backdoor named UPSTYLE on firewall devices. Following the initial breach, the threat actor downloaded additional tools from remote servers controlled by the compromised devices to gain deeper access into victims' internal networks. Subsequent lateral movements within these networks allowed the extraction of sensitive credentials and files.
Notably, this is not the first time threat actors have targeted GlobalProtect; a similar vulnerability (CVE-2019-1579) was exploited in 2019. Given its widespread use for remote access to corporate networks globally, GlobalProtect remains an enticing target for threat actors. |