Palo Alto Networks released additional details about CVE-2024-3400: the fact that it is a combination of two bugs in PAN-OS; how an attacker was exploiting it; how disabling telemetry initially worked; and how they fixed it. The timeline from discovery to remediation encompasses the whole blog post. Overall a comprehensive after-action review from a company that notified the public almost immediately of an exploited zero-day. 🔗https://www.paloaltonetworks.com/blog/2024/04/more-on-the-pan-os-cve/

#CVE_2024_3400 #PaloAltoNetworks #zeroday #activeexploitation #eitw #kev #KnownExploitedVulnerabilitiesCatalog #vulnerability #ProofofConcept #PANOS #IOC

Zscaler observed exploitation of the Palo Alto Networks PAN-OS command injection zero-day vulnerability CVE-2024-3400 following the release of the PoC exploit code. Zscaler provides an attack flow diagram, and a technical analysis of the Upstyle backdoor and its layers. IOC provided. 🔗 https://www.zscaler.com/blogs/security-research/look-cve-2024-3400-activity-and-upstyle-backdoor-technical-analysis

#CVE_2024_3400 #PaloAltoNetworks #zeroday #activeexploitation #eitw #kev #KnownExploitedVulnerabilitiesCatalog #vulnerability #ProofofConcept #threatintel #IOC

TrustedSec CTO Justin Elze shared CVE-2024-3400 exploit in the wild on Twitter yesterday, reports that 149.28.194.95 was attempting to exploit CVE-2024-3400

#CVE_2024_3400 #PaloAltoNetworks #zeroday #activeexploitation #eitw #kev #KnownExploitedVulnerabilitiesCatalog #vulnerability #ProofofConcept #threatintel #IOC

In case you missed it, Palo Alto Networks updated their security advisory in terms of product and mitigation guidance, exploit status, and PAN-OS fix availability: 🔗 https://security.paloaltonetworks.com/CVE-2024-3400

• Exploitation status: Proof of concepts for this vulnerability have been publicly disclosed by third parties.
• Workarounds and mitigations: In earlier versions of this advisory, disabling device telemetry was listed as a secondary mitigation action. Disabling device telemetry is no longer an effective mitigation. Device telemetry does not need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability.
• Solution:
  • - 10.2.6-h3 (Released 4/16/24)
  • - 11.0.3-h10 (Released 4/16/24)
  • - 11.0.2-h4 (Released 4/16/24)
  • - 11.1.0-h3 (Released 4/16/24)

#CVE_2024_3400 #PaloAltoNetworks #zeroday #activeexploitation #eitw #kev #KnownExploitedVulnerabilitiesCatalog #vulnerability #ProofofConcept

watchTowr may have successfully replicated CVE-2024-3400 (10.0 critical, disclosed 12 April 2024 by Palo Alto Networks as an exploited zero-day, CWE-77: Command Injection; OS Command Injection Vulnerability in GlobalProtect Gateway, added to CISA KEV Catalog). Instead of releasing a Proof of Concept, they provided a "detection artefact generator tool" 🔗 https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/

#CVE_2024_3400 #PaloAltoNetworks #zeroday #activeexploitation #eitw #kev #KnownExploitedVulnerabilitiesCatalog #vulnerability #threatintel #IOC

@jullrich of SANS ISC warns that the widely shared GitHub exploit is almost certainly fake (cc: @mttaggart ) and two IP addresses were attempting CVE-2024-3400 exploitation: 173.255.223.159 and 146.70.192.174 🔗 https://isc.sans.edu/diary/rss/30838

#CVE_2024_3400 #PaloAltoNetworks #zeroday #activeexploitation #eitw #kev #KnownExploitedVulnerabilitiesCatalog #vulnerability #threatintel #IOC

Happy hotfix day from Palo Alto Networks who released 3 hotfixes for CVE-2024-3400 (10.0 critical, disclosed 12 April 2024 as an exploited zero-day) with 15 more hotfixes expected in the coming days: 🔗 https://security.paloaltonetworks.com/CVE-2024-3400

• PAN-OS 10.2:
  • 10.2.9-h1 (Released 14 April)
  • 10.2.8-h3 (Released 15 April)
  • 10.2.7-h8 (Released 15 April)
  • 10.2.6-h3 (Released 16 April)
  • 10.2.5-h6 (Released 16 April)
  • 10.2.3-h13 (Released 18 April)
  • 10.2.1-h2 (Released 18 April)
  • 10.2.2-h5 (Released 18 April)
  • 10.2.0-h3 (Released 18 April)
  • 10.2.4-h16 (Released 18 April)
• PAN-OS 11.0:
  • 11.0.4-h1 (Released 14 April)
  • 11.0.4-h2 (Released 17 April)
  • 11.0.3-h10 (Released: 16 April)
  • 11.0.2-h4 (Released 16 April)
  • 11.0.1-h4 (Released 18 April)
  • 11.0.0-h3 (Released 18 April)
• PAN-OS 11.1:
  • 11.1.2-h3 (Released 14 April)
  • 11.1.1-h1 (Released 16 April)
  • 11.1.0-h3 (Released: 16 April)

#CVE_2024_3400 #PaloAltoNetworks #zeroday #activeexploitation #eitw #kev #KnownExploitedVulnerabilitiesCatalog #vulnerability #threatintel #IOC

It should come as no surprise that Palo Alto Networks did not release hotfixes* for affected versions of PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11 by the self-imposed deadline of Sunday 14 April 2024 like they estimated in their security advisory. 48 hours to develop/test/release is a tight delivery window with the whole infosec community breathing down their necks.

EDIT: A hotfix is now available for select affected versions of PAN-OS: https://security.paloaltonetworks.com/CVE-2024-3400

#CVE_2024_3400 #PaloAltoNetworks #zeroday #activeexploitation #eitw #kev #KnownExploitedVulnerabilitiesCatalog #vulnerability #threatintel #IOC

CISA put out an additional security alert about CVE-2024-3400, noting that Palo Alto Networks released workaround guidance for the command injection vulnerability. 🔗 https://www.cisa.gov/news-events/alerts/2024/04/12/palo-alto-networks-releases-guidance-vulnerability-pan-os-cve-2024-3400

#CVE_2024_3400 #PaloAltoNetworks #zeroday #activeexploitation #eitw #kev #KnownExploitedVulnerabilitiesCatalog #vulnerability #CISA

Just to make it easier to read through the various reports (saying almost the same exact thing), I've assembled a Palo Alto Networks zero-day MEGA list:

• Palo Alto Networks security advisory: CVE-2024-3400 PAN-OS: OS Command Injection Vulnerability in GlobalProtect Gateway

UPDATE: Volexity and Unit 42 talk about the threat actor, campaign, and include indicators of compromise:

• Volexity: Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400)
• Unit 42: Threat Brief: Operation MidnightEclipse, Post-Exploitation Activity Related to CVE-2024-3400

Here's the rest of the related reporting:

• Zscaler: Another CVE (PAN-OS Zero Day), Another Reason to Consider Zero Trust
• The Register: Zero-day exploited right now in Palo Alto Networks' GlobalProtect gateways
• Bleeping Computer:
• Palo Alto Networks warns of PAN-OS firewall zero-day used in attacks
• (update) Palo Alto Networks zero-day exploited since March to backdoor firewalls
• SANS ISC: Critical Palo Alto GlobalProtect Vulnerability Exploited (CVE-2024-3400)
• CERT-EU: Critical Vulnerability in PAN-OS software
• Qualys: PAN-OS OS Command Injection Vulnerability Exploited in the Wild (CVE-2024-3400)
• Rapid7: CVE-2024-3400: Critical Command Injection Vulnerability in Palo Alto Networks Firewalls
• The Hacker News:
• Zero-Day Alert: Critical Palo Alto Networks PAN-OS Flaw Under Active Attack
• (update) Hackers Deploy Python Backdoor in Palo Alto Zero-Day Attack
• Security Week:
• Palo Alto Networks Warns of Exploited Firewall Vulnerability
• (update) State-Sponsored Hackers Exploit Zero-Day to Backdoor Palo Alto Networks Firewalls
• SOCRadar: Critical OS Command Injection Vulnerability in Palo Alto's GlobalProtect Gateway: CVE-2024-3400. The patch is not available yet.
• CISA:
• CISA Adds One Known Exploited Vulnerability to Catalog
• Palo Alto Networks Releases Guidance for Vulnerability in PAN-OS, CVE-2024-3400
• The Record: Palo Alto Networks warns of zero-day in VPN product
• Ars Technica:“Highly capable” hackers root corporate networks by exploiting firewall 0-day

#CVE_2024_3400 #PaloAltoNetworks #zeroday #activeexploitation #eitw #kev #KnownExploitedVulnerabilitiesCatalog #vulnerability #threatintel #IOC