iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
PAN-OS firewalls are facing an “increasing number of attacks”, though so far, signs of active command execution are rare.
Palo Alto’s PAN-OS firewalls are coming under increasing attack following the company’s disclosure of a command injection vulnerability on 12 April.
A few days later, the Australian Signals Directorate’s Australian Cyber Security Centre circulated a critical alert over the vulnerability, warning Australian organisations using Palo Alto’s firewalls to “act now” to mitigate the vulnerability, while Palo Alto said it was working on a hotfix.
Now, Palo Alto’s Unit 42 has shared more details of how the vulnerability – CVE-2024-3400, which could allow a threat actor to run arbitrary code on affected PAN-OS firewalls – is being actively exploited.
The big brains at Unit 42 have broken down the exploitation attempts into four discrete groups.
At level zero, we have threat actors simply probing customer networks and failing to make any kind of access. Unit 42 expected these attempts to have “little to no immediate impact” on organisations, and simply applying the available hotfix should remedy the situation.
Unit 42 rates level one as threat actors actively testing the vulnerability. In this case, “a zero-byte file has been created and is resident on the firewall. However, there is no indication of any known unauthorised command execution.”
Again, applying Palo Alto’s hotfix should do the trick.
In both cases, Unit 42 believes resetting the impacted device is unnecessary, as there is no indication of active compromise or data exfiltration.
At level two, however, Unit 42 is beginning to see “potential exfiltration” of data.
“A file on the device has been copied to a location accessible via a web request, though the file may or may not have been subsequently downloaded,” Unit 42 said in a blog post. “Typically, the file we have observed being copied is running_config.xml.”
Unit 42’s advice in this case is to both install the hotfix and perform a private data reset.
“Private data reset clears all logs and reverts the configuration to factory defaults,” Unit 42 said. “The system will restart and then reset the data. We recommend changing the device master key from the default as a best practice.”
Finally, there are level-three exploitation attempts, which involve “interactive access” to compromised networks. Here, Unit 42 has seen evidence of interactive commands being executed, which may include the installation of backdoors, downloading files, running commands, and even introducing new code.
In these instances, only a factory reset, followed by installing the necessary hotfix, will mitigate the threat activity. The factory reset, however, will “wipe out keys, certs, logs, configurations, content and the device image”.
Unit 42 recommends “changing the device master key from the default as a best practice”.
Palo Alto’s research team also notes that level-two attempts are “limited”, while level-three exploitation attempts are “very limited”.
Disabling device telemetry, which was an early attempt at mitigating attempted to exploit, is no longer advised, however.
“In earlier versions of this advisory, disabling device telemetry was listed as a secondary mitigation action,” Unit 42 said.
“Disabling device telemetry is no longer an effective mitigation. Device telemetry does not need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability.”
According to the not-for-profit security organisation Shadowserver Foundation, which monitors the internet for such vulnerabilities, there are 6,200 vulnerable devices still on the internet as of 21 April, with 142 in the Oceania region.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
