By NewsBlogger Palo Alto Networks has released hotfixes for a zero-day vulnerability in PAN-OS firewalls that threat actors have actively exploited. This has prompted security measures and mitigation efforts from administrators and government agencies.
At a glance
- Palo Alto Networks released hotfixes for a zero-day vulnerability in PAN-OS firewalls exploited since March 26th.
- The security flaw, CVE-2024-3400, affects PAN-OS 10.2, 11.0, and 11.1 firewalls with device telemetry and GlobalProtect enabled.
- Unauthenticated threat actors can exploit the vulnerability remotely for root code execution through command injection.
- Palo Alto Networks addressed the flaw with hotfix releases for PAN-OS 10.2.9-h1, 11.0.4-h1, and 11.1.2-h3, while Cloud NGFW, Panorama appliances, and Prisma Access are not exposed.
- Volexity confirmed active exploitation by state-sponsored threat actors, with over 82,000 vulnerable PAN-OS devices online, prompting CISA to add CVE-2024-3400 to its Known Exploited Vulnerabilities catalog.
The details
Palo Alto Networks has released hotfixes for a zero-day vulnerability in PAN-OS firewalls that has been exploited since March 26th.
The security flaw, CVE-2024-3400, affects PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls with device telemetry and GlobalProtect enabled.
Unauthenticated threat actors can exploit the vulnerability remotely to gain root code execution through command injection.
Palo Alto Networks Hotfixes
Palo Alto Networks has addressed the security flaw in hotfix releases for PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, and PAN-OS 11.1.2-h3. It is important to note that Cloud NGFW, Panorama appliances, and Prisma Access are not exposed to attacks via this vulnerability.
Administrators can mitigate the risk by disabling device telemetry on vulnerable devices or activating the ‘Threat ID 95187’ threat prevention-based mitigation to block ongoing attacks.
Active Exploitation and Response
Security firm Volexity has confirmed active exploitation of the vulnerability and has linked it to state-sponsored threat actors.
The malicious activity is being tracked under the identifier UTA0218, and Volexity believes that state-sponsored threat actors are likely responsible for the attacks.
Threat researcher Yutaka Sejiyama has identified over 82,000 PAN-OS devices exposed online and vulnerable to attacks, 40% of which are located in the United States.
The Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2024-3400 to its Known Exploited Vulnerabilities catalog in response to the threat.
Federal agencies must secure their devices by applying the threat mitigation rule or disabling telemetry by April 19th.
Article X-ray
Sources
Facts attribution
This section links each of the article’s facts back to its original source.
If you suspect false information in the article, you can use this section to investigate where it came from.
| bleepingcomputer.com |
|---|
| – Palo Alto Networks has released hotfixes for a zero-day vulnerability in PAN-OS firewalls that has been exploited since March 26th – The security flaw (CVE-2024-3400) affects PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls with device telemetry and GlobalProtect enabled – Unauthenticated threat actors can exploit the vulnerability remotely to gain root code execution via command injection – Palo Alto Networks has fixed the security flaw in hotfix releases for PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, and PAN-OS 11.1.2-h3 – Cloud NGFW, Panorama appliances, and Prisma Access are not exposed to attacks via this vulnerability – Admins can disable device telemetry on vulnerable devices or activate ‘Threat ID 95187’ threat prevention-based mitigation to block ongoing attacks – Security firm Volexity confirmed active exploitation of the vulnerability, linking it to state-sponsored threat actors – Volexity is tracking the malicious activity under UTA0218 and believes state-sponsored threat actors are likely behind the attacks – Threat researcher Yutaka Sejiyama found over 82,000 PAN-OS devices exposed online and vulnerable to attacks, with 40% in the United States – CISA has added CVE-2024-3400 to its Known Exploited Vulnerabilities catalog, ordering federal agencies to secure their devices by applying the threat mitigation rule or disabling telemetry by April 19th. |
