Security News > 2024 > April > Palo Alto firewalls: Public exploits, rising attacks, ineffective mitigation
While it initially seemed that protecting Palo Alto Network firewalls from attacks leveraging CVE-2024-3400 would be possible by disabling the devices' telemetry, it has now been comfirmed that this mitigation is ineffectual.
"Device telemetry does not need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability," Palo Alto Networks noted on Tuesday, and said they are aware of an "Increasing number of attacks that leverage the exploitation of this vulnerability."
Last Friday, Palo Alto Networks warned about CVE-2024-3400 - a critical zero-day command injection vulnerability in its firewalls running PAN-OS v10.2, 11.0, and 11.1 with the configurations for both GlobalProtect gateway and device telemetry enabled - being exploited by well-resourced threat actors to install a backdoor and use the obtained access to move laterally in target organizations' networks.
Hotfixes started getting released on Sunday, but Palo Alto Networks confirmed on Tuesday that the latter mitigation is no longer effective.
Palo Alto Network customers running vulnerable firewalls should implement hotfixes as soon as possible and check for indicators of compromise.
"If you discover that your Palo Alto Network GlobalProtect firewall device is compromised, it is important to take immediate action. Make sure to not wipe or rebuild the appliance. Collecting logs, generating a tech support file, and preserving forensics artifacts from the device are crucial," Volexity researchers have advised.
News URL
https://www.helpnetsecurity.com/2024/04/17/cve-2024-3400-attacks/
Related news
- Palo Alto Networks firewalls, Expedition under attack (CVE-2024-9463, CVE-2024-9465) (source)
- Mystery Palo Alto Networks hijack-my-firewall zero-day now officially under exploit (source)
- Palo Alto Networks patches two firewall zero-days used in attacks (source)
- 1000s of Palo Alto Networks firewalls hijacked as miscreants exploit critical hole (source)
- VEILDrive Attack Exploits Microsoft Services to Evade Detection and Distribute Malware (source)
- CISA warns of critical Palo Alto Networks bug exploited in attacks (source)
- New Ymir Ransomware Exploits Memory for Stealthy Attacks; Targets Corporate Networks (source)
- CISA warns of more Palo Alto Networks bugs exploited in attacks (source)
- CISA Flags Two Actively Exploited Palo Alto Flaws; New RCE Attack Confirmed (source)
- Palo Alto Networks warns of critical RCE zero-day exploited in attacks (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2024-04-12 | CVE-2024-3400 | Command Injection vulnerability in Paloaltonetworks Pan-Os A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability. | 10.0 |