Don’t Get Hacked: 

A recent security flaw (CVE-2024-3400) has been discovered which is impacting Palo Alto Networks PAN-OS firewalls. This vulnerability, classified as severe, allows attackers to potentially gain significant control over affected systems through a technique called command injection. This type of vulnerability could lead to the execution of malicious code, the compromise of sensitive data, or even the disruption of critical network operations. It affects firewalls running specific versions of the PAN-OS software and configured with the GlobalProtect security feature. Palo Alto Networks is actively working to provide updates and solutions to address this flaw.To ensure your continued security, we have prepared a comprehensive advisory newsflash, detailing the vulnerability, risks, and mitigation steps. 

What is the vulnerability 

A zero-day command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Tracked as CVE-2024-3400, the issue has a CVSS score of 10.0, indicating maximum severity. Threat actors have been able to exploit the vulnerability to compromise the firewall to introduce a python based backdoor, create a reverse shell, download further tools on the device, exfiltrate data and move laterally within the network. The exact origins of the threat actor exploiting the flaw are presently unknown but Palo Alto Networks Unit 42 is tracking the malicious activity under the name Operation MidnightEclipse. 

How do you protect yourself? 

This issue is fixed in hotfix releases of PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and in all later PAN-OS versions. Hotfixes for other commonly deployed maintenance releases will also be made available to address this issue. Palo Alto Networks states that hotfixes for rest of the versions will be released by the date 19/04/2024.