Unveiling the Critical Vulnerability in Palo Alto Network’s GlobalProtect Feature
Published:
In late spring, Palo Alto Networks, a prominent US cybersecurity firm, issued a stark warning: a critical command injection vulnerability (CVE-2024-3400) had been discovered in the GlobalProtect feature of its PAN-OS software. This vulnerability posed a significant threat, potentially allowing an unauthenticated remote attacker to execute arbitrary code with root privileges on the firewall.
In this weeks Cyber Security Insights we will delve deeper into the details of this vulnerability, explore its impact, and discuss the urgent need for robust security measures in the face of escalating zero-day attacks on VPN devices
Finding Zero-Day Vulnerabilities
On April 10, security firm Volexity received multiple alerts of suspect network traffic from a customer’s firewall. A subsequent investigation led to confirmation that an attack had taken place which exploited a zero-day vulnerability in PAN-OS.
The investigation found that the threat actor (identified as UTA0218) was attempting to install a backdoor on the firewall which would allow the attacker to execute commands on the device and leverage it as an entry point to move laterally within the victim’s network.
Velocity discovered several successful exploitations at several of their customers which dated back to March 26, 2024. At that time, the attacker was likely testing the vulnerability for possible exploitation. Volexity actively tracks the threat actor “UTA0218” and concluded that it was highly likely state sponsored based on the resources required to develop and exploit a vulnerability of this nature.
Figure 1: Palo Alto Networks Firewall PA-3400 Series
The vulnerability (CVE-2024-3400)
The vulnerability combines two PAN-OS bugs into a two-step process that allows an unauthenticated remote attacker to gain system administrator privileges and execute arbitrary commands on the vulnerable firewall. In the event of a breach, the attacker could successfully exfiltrate sensitive configuration details or download malware. Shortly after details and PoC code for the vulnerability (proof-of-concept code: program code for verifying that the vulnerability is exploitable) became available, exploit attempts were seen by various threat intelligence organizations.
Products Affected by the Vulnerability
The vulnerability affects next-generation firewalls with PAN-OS versions 10.2, 11.0, and 11.1 and GlobalProtect gateways and/or portals enabled. GlobalProtect provides VPN capabilities for remote access to internal networks from the internet including identifying users, issuing certificates, and security measures.
As of April 15, there were more than 143,000 publicly facing GlobalProtect devices (not limited to vulnerable versions listed)
A Series of Zero-Day Attacks on VPN Devices
In addition to this incident, Ivanti Connect Secure received a zero-day attack in January from an APT attack group allegedly supported by the Chinese state. Cisco ASA/FTD devices were also victim to a zero-day attack in April from another APT threat actor group. Additionally, last August, it was revealed that the Akira ransomware group had been exploiting a zero-day vulnerability in Cisco ASA/FTD for a considerable amount of time.
Summary
It is clear that threat actors are targeting VPN devices and attempting to infiltrate networks for nefarious purposes. Organizations must have a robust security program to deal with zero day attacks of this nature including continuous threat monitoring to help identify such attacks in addition to response capabilities and patch maintenance.
About our Cyber Security Insights
This blog post is part of our The Cyber Security Insights, that are released several times every month, providing invaluable insights into the evolving threat landscape. Crafted by NTT Security Japan Inc. Consulting Services
Department’s OSINT Monitoring Team and NTT Security Sweden’s Incident Response Team, our content includes expert analysis on recent breaches, vulnerabilities, and cyber events. Stay ahead of the curve with our timely updates and actionable intelligence, ensuring your digital assets remain secure in an ever-changing environment.
Read more Cyber Security Insights here.
Sources:
- PALO ALTO NETWORKS: CVE-2024-3400 PAN-OS: Arbitrary File Creation Leads to OS Command Injection Vulnerability in GlobalProtect
- VOLEXITY: Zero-Day Exploitation of Unauthenticated Remote Code Execution Vulnerability in GlobalProtect (CVE-2024-3400)
- PALO ALTO NETWORKS BLOG: More on the PAN-OS CVE-2024 -3400
- CENSYS: April 12, 2024: Palo Alto Networks GlobalProtect PAN-OS command injection vulnerability CVE-2024-3400
- VOLEXITY: Active Exploitation of Two Zero-Day Vulnerabilities in Ivanti Connect Secure VPN
- CISCO: Cisco Adaptive Security Appliance and Firepower Threat Defense Software Web Services Denial of Service Vulnerability
- CISCO: Cisco Adaptive Security Appliance and Firepower Threat Defense Software Persistent Local Code Execution Vulnerability
- CISCO: Vulnerability in Remote Access VPN of Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software
Want to know more about how we can help you with your cybersecurity?
Book a meeting with NTT Security experts to learn more about our advisory services and penetration testing. We help you protect sensitive data while ensuring privacy and convenience.