Critical Exploitation of PAN-OS Security Flaw by Malicious Actors

In a recent report, Palo Alto Networks disclosed a critical security flaw in PAN-OS software that is being actively exploited by cybercriminals. The vulnerability, known as CVE-2024-3400 with a CVSS score of 10.0, is a sophisticated combination of two bugs in PAN-OS versions 10.2, 11.0, and 11.1.

According to Chandan B. N., a senior director at Palo Alto Networks, the first bug allowed attackers to store an empty file with a chosen filename, while the second bug used these filenames to execute commands. When exploited together, these bugs could lead to unauthenticated remote shell command execution.

The threat actor behind the exploitation, identified as UTA0218, conducted a two-stage attack named Operation MidnightEclipse. They utilized a backdoor called UPSTYLE to run specially crafted commands on vulnerable devices.

Palo Alto Networks has released patches for the flaw in several commonly deployed maintenance releases to mitigate the threat. However, recent findings from Bishop Fox revealed that the flaw could be weaponized without requiring telemetry to be enabled on a device.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has listed the vulnerability in its Known Exploited Vulnerabilities catalog, urging federal agencies to secure their devices promptly. The Shadowserver Foundation also highlighted that approximately 22,542 internet-exposed firewall devices are at risk, with a majority located in the U.S., Japan, India, Germany, the U.K., Canada, Australia, France, and China.

Users are advised to apply the provided hotfixes immediately to protect their systems from potential threats. Stay tuned for more updates on this evolving cybersecurity issue.