Welcome!

By registering with us, you'll be able to discuss, share and private message with other members of our community.

SignUp Now!
banner Expire 25 April 2025
adv ex on 5 january 2024
adv ex on 22 February 2024
Banner expire 20 November 2024
Kfc Club

Patrick Stash
casino
banner expire at 13 August 2024
BidenCash Shop
Rescator cvv and dump shop
Yale lodge shop
UniCvv

Cowboy

TRUSTED VENDOR
Joined
Apr 18, 2024
Messages
285
1713647133842.png


Palo Alto Networks has shared more details of a critical security flaw impacting PAN-OS that has come under active exploitation in the wild by malicious actors.

The company described the vulnerability, tracked as CVE-2024-3400 (CVSS score: 10.0), as "intricate" and a combination of two bugs in versions PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 of the software.

"In the first one, the GlobalProtect service did not sufficiently validate the session ID format before storing them. This enabled the attacker to store an empty file with the attacker's chosen filename," Chandan B. N., senior director of product security at Palo Alto Networks, said.

"The second bug (trusting that the files were system-generated) used the filenames as part of a command."

It's worth noting that while neither of the issues are critical enough on their own, when chained together, they could lead to unauthenticated remote shell command execution.

Palo Alto Networks said that the threat actor behind the zero-day exploitation of the flaw, UTA0218, carried out a two-stage attack to achieve command execution on susceptible devices. The activity is being tracked under the name Operation MidnightEclipse.

As previously disclosed by both Volexity and the network security company's own Unit 42 threat intelligence division, this involves sending specially crafted requests containing the command to be executed, which is then run via a backdoor called UPSTYLE.

"The initial persistence mechanism setup by UTA0218 involved configuring a cron job that would use wget to retrieve a payload from an attacker-controlled URL with its output being written to stdout and piped to bash for execution," Volexity noted last week.


1713647212436.png



This is based on new findings from Bishop Fox, which discovered bypasses to weaponize the flaw such that it did not require telemetry to be enabled on a device in order to infiltrate it.

The company has also expanded patches for the flaw beyond the primary versions over the last few days to cover other commonly deployed maintenance releases -

  • PAN-OS 10.2.9-h1
  • PAN-OS 10.2.8-h3
  • PAN-OS 10.2.7-h8
  • PAN-OS 10.2.6-h3
  • PAN-OS 10.2.5-h6
  • PAN-OS 10.2.4-h16
  • PAN-OS 10.2.3-h13
  • PAN-OS 10.2.2-h5
  • PAN-OS 10.2.1-h2
  • PAN-OS 10.2.0-h3
  • PAN-OS 11.0.4-h1
  • PAN-OS 11.0.4-h2
  • PAN-OS 11.0.3-h10
  • PAN-OS 11.0.2-h4
  • PAN-OS 11.0.1-h4
  • PAN-OS 11.0.0-h3
  • PAN-OS 11.1.2-h3
  • PAN-OS 11.1.1-h1
  • PAN-OS 11.1.0-h3
In light of the active abuse of CVE-2024-3400 and the availability of a proof-of-concept (PoC) exploit code, users are recommended to take steps to apply the hotfixes as soon as possible to safeguard against potential threats.


The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has also added the shortcoming to its Known Exploited Vulnerabilities (KEV) catalog, ordering federal agencies to secure their devices by April 19, 2024.

According to information shared by the Shadowserver Foundation, approximately 22,542 internet-exposed firewall devices are likely vulnerable to the CVE-2024-3400. A majority of the devices are in the U.S., Japan, India, Germany, the U.K., Canada, Australia, France, and China as of April 18, 2024.
 
Top Bottom