Mastodawn

Not Simon Apr 12, 2024

CERT-EU warns of an exploited zero-day for Palo Alto Networks: CVE-2024-3400 (10.0 critical, disclosed 12 April 2024) command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software. Affected versions are PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1. This zero-day is NOT patched yet, and hotfix releases will be made available starting 14 April 2024. 🔗 https://cert.europa.eu/publications/security-advisories/2024-037/ and original Palo Alto Networks security advisory: https://security.paloaltonetworks.com/CVE-2024-3400

#CVE_2024_3400 #PaloAltoNetworks #eitw #activeexploitation #vulnerability #zeroday

Critical Vulnerability in PAN-OS software

Show thread

Not Simon Apr 12, 2024

Hot off the press! CISA adds CVE-2024-3400 (10.0 critical, disclosed 12 April 2024, PAN-OS: OS Command Injection Vulnerability in GlobalProtect Gateway) to the Known Exploited Vulnerabilities (KEV) Catalog 🔗 https://www.cisa.gov/news-events/alerts/2024/04/12/cisa-adds-one-known-exploited-vulnerability-catalog

#CVE_2024_3400 #PaloAltoNetworks #zeroday #activeexploitation #eitw #kev #KnownExploitedVulnerabilitiesCatalog #vulnerability

Show thread

Not Simon Apr 12, 2024

Just to make it easier to read through the various reports (saying almost the same exact thing), I've assembled a Palo Alto Networks zero-day MEGA list:

Palo Alto Networks security advisory: CVE-2024-3400 PAN-OS: OS Command Injection Vulnerability in GlobalProtect Gateway

UPDATE: Volexity and Unit 42 talk about the threat actor, campaign, and include indicators of compromise:

Here's the rest of the related reporting:

Zscaler: Another CVE (PAN-OS Zero Day), Another Reason to Consider Zero Trust
The Register: Zero-day exploited right now in Palo Alto Networks' GlobalProtect gateways
Bleeping Computer:
Palo Alto Networks warns of PAN-OS firewall zero-day used in attacks
(update) Palo Alto Networks zero-day exploited since March to backdoor firewalls
SANS ISC: Critical Palo Alto GlobalProtect Vulnerability Exploited (CVE-2024-3400)
CERT-EU: Critical Vulnerability in PAN-OS software
Qualys: PAN-OS OS Command Injection Vulnerability Exploited in the Wild (CVE-2024-3400)
Rapid7: CVE-2024-3400: Critical Command Injection Vulnerability in Palo Alto Networks Firewalls
The Hacker News:
Zero-Day Alert: Critical Palo Alto Networks PAN-OS Flaw Under Active Attack
(update) Hackers Deploy Python Backdoor in Palo Alto Zero-Day Attack
Security Week:
Palo Alto Networks Warns of Exploited Firewall Vulnerability
(update) State-Sponsored Hackers Exploit Zero-Day to Backdoor Palo Alto Networks Firewalls
SOCRadar: Critical OS Command Injection Vulnerability in Palo Alto's GlobalProtect Gateway: CVE-2024-3400. The patch is not available yet.
CISA:
CISA Adds One Known Exploited Vulnerability to Catalog
Palo Alto Networks Releases Guidance for Vulnerability in PAN-OS, CVE-2024-3400
The Record: Palo Alto Networks warns of zero-day in VPN product
Ars Technica:“Highly capable” hackers root corporate networks by exploiting firewall 0-day

#CVE_2024_3400 #PaloAltoNetworks #zeroday #activeexploitation #eitw #kev #KnownExploitedVulnerabilitiesCatalog #vulnerability #threatintel #IOC

CVE-2024-3400 PAN-OS: Arbitrary File Creation Leads to OS Command Injection Vulnerability in GlobalProtect

A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurat...

Palo Alto Networks Product Security Assurance

Show thread

Not Simon Apr 12, 2024

CISA put out an additional security alert about CVE-2024-3400, noting that Palo Alto Networks released workaround guidance for the command injection vulnerability. 🔗 https://www.cisa.gov/news-events/alerts/2024/04/12/palo-alto-networks-releases-guidance-vulnerability-pan-os-cve-2024-3400

#CVE_2024_3400 #PaloAltoNetworks #zeroday #activeexploitation #eitw #kev #KnownExploitedVulnerabilitiesCatalog #vulnerability #CISA

Show thread

Not Simon Apr 14, 2024

It should come as no surprise that Palo Alto Networks did not release hotfixes* for affected versions of PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11 by the self-imposed deadline of Sunday 14 April 2024 like they estimated in their security advisory. 48 hours to develop/test/release is a tight delivery window with the whole infosec community breathing down their necks.

EDIT: A hotfix is now available for select affected versions of PAN-OS: https://security.paloaltonetworks.com/CVE-2024-3400

#CVE_2024_3400 #PaloAltoNetworks #zeroday #activeexploitation #eitw #kev #KnownExploitedVulnerabilitiesCatalog #vulnerability #threatintel #IOC

CVE-2024-3400 PAN-OS: Arbitrary File Creation Leads to OS Command Injection Vulnerability in GlobalProtect

Palo Alto Networks Product Security Assurance

Show thread

Not Simon Apr 15, 2024

Happy hotfix day from Palo Alto Networks who released 3 hotfixes for CVE-2024-3400 (10.0 critical, disclosed 12 April 2024 as an exploited zero-day) with 15 more hotfixes expected in the coming days: 🔗 https://security.paloaltonetworks.com/CVE-2024-3400

PAN-OS 10.2:
- 10.2.9-h1 (Released 14 April)
- 10.2.8-h3 (Released 15 April)
- 10.2.7-h8 (Released 15 April)
- 10.2.6-h3 (Released 16 April)
- 10.2.5-h6 (Released 16 April)
- 10.2.3-h13 (Released 18 April)
- 10.2.1-h2 (Released 18 April)
- 10.2.2-h5 (Released 18 April)
- 10.2.0-h3 (Released 18 April)
- 10.2.4-h16 (Released 18 April)
PAN-OS 11.0:
- 11.0.4-h1 (Released 14 April)
- 11.0.4-h2 (Released 17 April)
- 11.0.3-h10 (Released: 16 April)
- 11.0.2-h4 (Released 16 April)
- 11.0.1-h4 (Released 18 April)
- 11.0.0-h3 (Released 18 April)
PAN-OS 11.1:
- 11.1.2-h3 (Released 14 April)
- 11.1.1-h1 (Released 16 April)
- 11.1.0-h3 (Released: 16 April)

#CVE_2024_3400 #PaloAltoNetworks #zeroday #activeexploitation #eitw #kev #KnownExploitedVulnerabilitiesCatalog #vulnerability #threatintel #IOC

CVE-2024-3400 PAN-OS: Arbitrary File Creation Leads to OS Command Injection Vulnerability in GlobalProtect

Palo Alto Networks Product Security Assurance

Show thread

Not Simon Apr 16, 2024

@jullrich of SANS ISC warns that the widely shared GitHub exploit is almost certainly fake (cc: @mttaggart ) and two IP addresses were attempting CVE-2024-3400 exploitation: 173.255.223.159 and 146.70.192.174 🔗 https://isc.sans.edu/diary/rss/30838

#CVE_2024_3400 #PaloAltoNetworks #zeroday #activeexploitation #eitw #kev #KnownExploitedVulnerabilitiesCatalog #vulnerability #threatintel #IOC

Show thread

Not Simon Apr 16, 2024

watchTowr may have successfully replicated CVE-2024-3400 (10.0 critical, disclosed 12 April 2024 by Palo Alto Networks as an exploited zero-day, CWE-77: Command Injection; OS Command Injection Vulnerability in GlobalProtect Gateway, added to CISA KEV Catalog). Instead of releasing a Proof of Concept, they provided a "detection artefact generator tool" 🔗 https://labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/

#CVE_2024_3400 #PaloAltoNetworks #zeroday #activeexploitation #eitw #kev #KnownExploitedVulnerabilitiesCatalog #vulnerability #threatintel #IOC

Palo Alto - Putting The Protecc In GlobalProtect (CVE-2024-3400)

Welcome to April 2024, again. We’re back, again. Over the weekend, we were all greeted by now-familiar news—a nation-state was exploiting a “sophisticated” vulnerability for full compromise in yet another enterprise-grade SSLVPN device. We’ve seen all the commentary around the certification process of these devices for certain

watchTowr Labs - Blog

Show thread

Not Simon Apr 17, 2024

In case you missed it, Palo Alto Networks updated their security advisory in terms of product and mitigation guidance, exploit status, and PAN-OS fix availability: 🔗 https://security.paloaltonetworks.com/CVE-2024-3400

Exploitation status: Proof of concepts for this vulnerability have been publicly disclosed by third parties.
Workarounds and mitigations: In earlier versions of this advisory, disabling device telemetry was listed as a secondary mitigation action. Disabling device telemetry is no longer an effective mitigation. Device telemetry does not need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability.
Solution:
- - 10.2.6-h3 (Released 4/16/24)
- - 11.0.3-h10 (Released 4/16/24)
- - 11.0.2-h4 (Released 4/16/24)
- - 11.1.0-h3 (Released 4/16/24)

#CVE_2024_3400 #PaloAltoNetworks #zeroday #activeexploitation #eitw #kev #KnownExploitedVulnerabilitiesCatalog #vulnerability #ProofofConcept

CVE-2024-3400 PAN-OS: Arbitrary File Creation Leads to OS Command Injection Vulnerability in GlobalProtect

Palo Alto Networks Product Security Assurance

Show thread

Not Simon Apr 17, 2024

TrustedSec CTO Justin Elze shared CVE-2024-3400 exploit in the wild on Twitter yesterday, reports that 149.28.194.95 was attempting to exploit CVE-2024-3400

#CVE_2024_3400 #PaloAltoNetworks #zeroday #activeexploitation #eitw #kev #KnownExploitedVulnerabilitiesCatalog #vulnerability #ProofofConcept #threatintel #IOC

Show thread

Not Simon Apr 18, 2024

Zscaler observed exploitation of the Palo Alto Networks PAN-OS command injection zero-day vulnerability CVE-2024-3400 following the release of the PoC exploit code. Zscaler provides an attack flow diagram, and a technical analysis of the Upstyle backdoor and its layers. IOC provided. 🔗 https://www.zscaler.com/blogs/security-research/look-cve-2024-3400-activity-and-upstyle-backdoor-technical-analysis

#CVE_2024_3400 #PaloAltoNetworks #zeroday #activeexploitation #eitw #kev #KnownExploitedVulnerabilitiesCatalog #vulnerability #ProofofConcept #threatintel #IOC

A Look at CVE-2024-3400 Activity and Upstyle Backdoor Technical Analysis

Delve into CVE-2024-3400, a zero-day command-injection flaw in PAN-OS. Uncover exploitation trends in Zscaler's intelligence network and a Python-based backdoor

Show thread

Not Simon Apr 19, 2024

Bleeping Computer: GreyNoise and ShadowServer Foundation are reporting active exploitation of CVE-2024-3400 (10.0 critical, disclosed 12 April 2024 by Palo Alto Networks as an exploited zero-day, OS Command Injection Vulnerability in GlobalProtect Gateway, added to CISA KEV Catalog, has Proof of Concept). The good news is that all hotfixes for vulnerable versions of PAN-OS are now released. 🔗 https://www.bleepingcomputer.com/news/security/22-500-palo-alto-firewalls-possibly-vulnerable-to-ongoing-attacks/

#CVE_2024_3400 #PaloAltoNetworks #activeexploitation #eitw #kev

22,500 Palo Alto firewalls "possibly vulnerable" to ongoing attacks

Approximately 22,500 exposed Palo Alto GlobalProtect firewall devices are likely vulnerable to the CVE-2024-3400 flaw, a critical command injection vulnerability that has been actively exploited in attacks since at least March 26, 2024.

BleepingComputer

Show thread

Not Simon

Palo Alto Networks released additional details about CVE-2024-3400: the fact that it is a combination of two bugs in PAN-OS; how an attacker was exploiting it; how disabling telemetry initially worked; and how they fixed it. The timeline from discovery to remediation encompasses the whole blog post. Overall a comprehensive after-action review from a company that notified the public almost immediately of an exploited zero-day. 🔗https://www.paloaltonetworks.com/blog/2024/04/more-on-the-pan-os-cve/

#CVE_2024_3400 #PaloAltoNetworks #zeroday #activeexploitation #eitw #kev #KnownExploitedVulnerabilitiesCatalog #vulnerability #ProofofConcept #PANOS #IOC

More on the PAN-OS CVE-2024-3400

PSIRT learned of a suspicious exfiltration attempt at a customer site. Palo Alto Network's team investigated the issue with Volexity's team.

Palo Alto Networks Blog

Show thread

Cali Apr 20, 2024

@simontsui compared the ivanti fiasco, a tale of two exploits that couldn’t be more different

Show thread

Not Simon Apr 20, 2024

@Cali it's unfortunate because Ivanti was extraordinarily forthcoming and provided a patch and hot-fix soon after zero-day exploitation. That soon became mass-exploitation and a bypass of the original hotfix. 10 January for the initial 2 zero-days, and 31 January for the 3rd zero-day and another vuln.