Select your country

Not finding what you are looking for, select your country from our regional selector:

Search

CERT alert: Threat Level 5/5 - CVE-2024-3400: critical 0day in Palo Alto's GlobalProtect gateway exploited in the wild

1. Analysis

Updated on : 2024-04-17 08:47:59

Update 2, 17/04/2024 - CVE-2024-3400 widely exploited by opportunistic attackers after WatchTower and Rapid7 release PoC

As we anticipated, vulnerability researchers did manage in less than 3 days to identify the vulnerability within GlobalProtect, and create a working PoC to leverage it against Palo Alto VPN-SSL solutions. WatchTowr published yesterday a blogpost revealing how they identified a path traversal and file write issue leading to command injection and provided publicly a PoC on how to inject a command, using a simple POST request towards the ".../ssl-vpn/hipreport.esp" endpoint. This PoC enables to inject the command within a SESSID cookie, thus ultimately dropping a file such as a webshell, through a cron job crawling the files on .../opt/panlogs/tmp/device_telemetry/minute/ (or .../hour/ or .../day).

Another simple PoC based on WatchTowr's article was furthermore shared quickly on GitHub, based on another article from Rapid7 also released yesterday here. TrustedSec mentioned on X encountering within minutes in-the-wild attacks abusing the public PoCs. ShadowServer also confirmed seeing attacks against their honeypots, meaning a more massive exploitation campaign by opportunistic adversaries has begun.

Reminder: All other previous PoC published earlier this weekend turned out to be fake, and sometimes even malicious (i.e. containing backdoors).

We expect all exposed vulnerable instances to be attacked in the next hours.

Finally, a US security consultant criticized on X the insufficient audit of Palo Alto solutions conducted by a government-accredited body National Information Assurance Partnership. The test only confirms if the solution is robust enough against adversaries with "Basic Attack Potential".

Risk and recommendation evolution:

The risk level has been increased to the max level 5/5, as Palo Alto believes that the most simple mitigation (disabling telemetry) is NOT sufficient anymore to protect against the attack. Their advisory was indeed updated to mention this new finding on Monday evening. The vendor now recommends all customers to patch with the released hotfixes as soon as possible (or configure Threat Prevention signatures "Threat ID 95187, 95191 and 95189".

This critical change in the working mitigations (and possibly the new Threats ID) may be to block attempts to trigger command execution by flooding the device with requests when telemetry is disabled, as mentioned by an unnamed source on Reddit here.

Furthermore, the vendor shared additional IOCs and CLI commands to hunt for in an update of their Threat Brief here. These indicators are not believed to be tied to the initial threat actor behind the 0day exploitation, but to recent attempts identified on their end to check if an instance is vulnerable or not to the flaw. All were added to our Datalake repository consumed by our Managed Threat Detection and Managed Threat Intelligence services.

Yesterday, Onyphe did create a specific query to passively identify the version of a GlobalProtect appliance, using ETag from this open source scanner, that we already tested this weekend. This scanner does indeed correctly identify the current version of an exposed asset, but can't figure out whether the instance has the telemetry feature enabled or not (thus is vulnerable or not). This may nevertheless possibly help you confirm if one instance already received the needed patch yet or not. This unfortunately also help adversaries list "possibly vulnerable" servers to target in priority.

A new EmergingThreats Suricata rule (cf. our Other in Appendice) has been released to detect the use of the WatchTowr PoC. Evidence of ongoing attempts are found in various logs, as mentioned by Rapid7, including in .../var/log/pan/device_telemetry_send.log

Updated on: 2024-04-15 11:05:09

Update 1, 15/04/2024 - Operation MidnightEclipse detailed, patches for Palo Alto's GlobalProtect 0day CVE-2024-3400 available 

As promised, Palo Alto did start to release on April 14 the first patches for the critical 0day CVE-2024-3400 exploited presumably by UTA0178, a Chinese threat actor that already compromised numerous Ivanti Connect Secure VPN instances in mid-January through a range of 0days. 3 fixes are so far available as explained in the advisory here, for the below affected branches:

  • PAN-OS 10.2: 10.2.9-h1 (Released 4/14/24)
  • PAN-OS 11.0: 11.0.4-h1 (Released 4/14/24)
  • PAN-OS 11.1: 11.1.2-h3 (Released 4/14/24)

Other affected versions will receive patches over this week, up to April 19 (see detailed timetable in Appendices).

The fear of adversaries orchestrating another mass compromise over the weekend has not materialized thus far. Many organizations hunted for compromise without detecting one, which means the campaign dubbed MidnightEclipse by Palo Alto remains so far quite targeted.

According to Volexity's article, the adversary pivoted within more internal systems after gaining root access to the firewall using the vulnerability then a never-seen-before Python backdoor called "update.py" and dubbed UPSTYLE by the incident response provider. Additional payloads were downloaded onto the firewall such as reverse proxy tool or known post-exploitation frameworks, in order to ultimately exfiltrate sensitive firewall configurations to adversary-controlled servers. The timeline of the attack identified by Volexity shows earliest attempts detected on March 26, and part of the infrastructure dating back to a second campaign launched on April 7. At the same time, Palo Alto shared their own analysis of the attack here, confirming the IOCs and TTPs mentioned by Volexity.

Weirdly, part of the MidnightEclipse malicious infrastructure remained online this Friday, even after Palo Alto and Volexity published technical blogposts about the case, making the Python backdoor hosted online by the threat actors still downloadable by security researchers. It either means the adversaries are not following very carefully what is released on them publicly and/or that they no longer have the ability to manage the server used to host this payload.

No confirmed PoC is currently available publicly, but fake ones circulated quickly this weekend on X and GitHub. We expect some advanced vulnerability researchers will identify how to leverage the 0day now that patches are released by the vendor through "patch diffing".

However, the level of risk associated with this opinion remains 4 out of 5 for us.

Recommendations:

We advise you preserve evidence of a possible previous compromise but quickly apply the provided mitigation and/or ideally the patch if already available for your version.

All GlobalProtect instances managed directly by OCD were investigated last week, and the official Palo Alto mitigation applied as soon as possible. In addition, hunting was proactively done using the network-related IOCs shared by Volexity and Palo Alto, thanks to our Datalake threat intelligence database constantly updated with new relevant IOCs.

Volexity has also shared a Yara rule (available in Appendices) that should be integrated into your security systems to increase the detection probability of an attack. IDS rules are also available for Suricata as mentioned here.

Orange Cyberdefense’s Datalake platform provides access to Indicators of Compromise (IoCs) related to this threat, which are automatically fed into our Managed Threat Detection services. This enables proactive hunting for IoCs if you subscribe to our Managed Threat Detection service that includes Threat Hunting. If you would like us to prioritize addressing these IoCs in your next hunt, please make a request through your MTD customer portal or contact your representative.

Orange Cyberdefense’s BlackLake service offers the ability to automatically feed network-related IoCs into your security solutions. To learn more about this service and to find out which firewall, proxy, and other vendor solutions are supported, please get in touch with your Orange Cyberdefense Trusted Solutions representative.

 

Initial alert on : 2024-04-12 14:01:55

1.1 Executive summary

A new vulnerability has been identified in GlobalProtect firewall from Palo Alto Networks. Known as CVE-2024-3400 (link to the vulnerability advisory for our customers), this vulnerability is considered critical and reached a severity score CVSSv4.0 of 10 out of 10. By exploiting it, a remote attacker could execute arbitrary code with root privileges on the firewall.

Palo Alto is aware of active, targeted exploitation in the wild. And Volexity believes it is possibly leveraged by some of the same Chinese threat actors behind the Ivanti Connect Secure 0days.

1.2 What you will hear

A 0day with a CVSSv4 score of 10 has been identified in Palo Alto Networks' GlobalProtect (PAN-OS).

1.3 What it means

The vulnerability allows a remote attacker to execute arbitrary code with root privileges on the firewall and has been seen exploited in the wild. The vulnerability specifically affects the GlobalProtect gateway and can only be exploited if telemetry is enabled and the PAN-OS version is newer than 10.2.

Volexity, that already identified the Ivanti 0days last January, is behind this discovery, and has announced it will provide details publicly later on. No details on the vulnerability are available as of now.

According to Censys, it should be noticed that around 40,000 GlobalProtect servers are currently exposed on Internet. No patch is available as of now, but official mitigations can prevent compromise until fixes are made public.

We classify this advisory’s threat level as 4 out of 5, as no mass exploitation is confirmed yet.

1.4 What you should do

Palo Alto plans to release a fix on 4/14 and have already published some mitigation in the mean time:

  • for “Threat Prevention” subscriptions, activate “Threat ID 95187”
  • otherwise you should disable the telemetry widget in the Device panel

2. Appendices:

Updated on : 2024-04-17 08:47:56

2.2 OCD links

n/a

2.3 IOCs

Our Managed Threat Intelligence [detect] clients can directly consult and consume the IOCs from this address on our Datalake platform:

https://datalake.cert.orangecyberdefense.com/gui/search?query_hash=eff8e2f5f9c6a4d1a421251617bc0680&ordering=-first_seen&pageSize=50

If you’re interested to know more about this OCD managed service, please reach us at team[AT]cert.orangecyberdefense.com, indicating you’re a World Watch beneficiary.

2.4 Other

Scanner:

https://github.com/noperator/panos-scanner

IDS rule (ET OPEN):

alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Palo Alto GlobalProtect Session Cookie Command Injection Attempt (CVE-2024-3400)"; flow:established,to_server; http.cookie; content:"SESSID="; startswith; content:"/opt/panlogs/tmp/device_telemetry/"; within:80; fast_pattern; content:"|60|"; within:21; content:"|24 7b|IFS|7d|"; within:30; reference:cve,2024-3400; reference:url,labs.watchtowr.com/palo-alto-putting-the-protecc-in-globalprotect-cve-2024-3400/; classtype:trojan-activity; sid:1; rev:1;)

2.5 mainCategory

mainCategory=Vulnerability

Updated on : 2024-04-15 11:05:06

2.1 External links

Update 1, 15/04/2024 - Operation MidnightEclipse detailed, patches for Palo Alto's GlobalProtect 0day CVE-2024-3400 available 

 

Volexity: https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/

Palo Alto:

https://unit42.paloaltonetworks.com/cve-2024-3400/

https://security.paloaltonetworks.com/CVE-2024-3400

2.3 IOCs

Our Managed Threat Intelligence [detect] clients can directly consult and consume the IOCs from this address on our Datalake platform:

https://datalake.cert.orangecyberdefense.com/gui/search?query_hash=0ac2b1347866609c800d4e834a50864f

If you’re interested to know more about this OCD managed service, please reach us at team[AT]cert.orangecyberdefense.com, indicating you’re a World Watch beneficiary.

2.4 Other

Upcoming patch release:

- 10.2.8-h3 (ETA: 4/15/24)
- 10.2.7-h8 (ETA: 4/15/24)
- 10.2.6-h3 (ETA: 4/15/24)
- 10.2.5-h6 (ETA: 4/16/24)
- 10.2.3-h13 (ETA: 4/17/24)
- 10.2.1-h2 (ETA: 4/17/24)
- 10.2.2-h5 (ETA: 4/18/24)
- 10.2.0-h3 (ETA: 4/18/24)
- 10.2.4-h16 (ETA: 4/19/24)

- 11.0.3-h10 (ETA: 4/15/24)
- 11.0.2-h4 (ETA: 4/16/24)
- 11.0.1-h4 (ETA: 4/17/24)
- 11.0.0-h3 (ETA: 4/18/24)

- 11.1.1-h1 (ETA: 4/16/24)
- 11.1.0-h3 (ETA: 4/17/24)

 

Yara rule:

rule apt_malware_py_upstyle : UTA0218
{
meta:
author = "threatintel@volexity.com"
date = "2024-04-11"
description = "Detect the UPSTYLE webshell."
hash1 = "3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac"
hash2 = "0d59d7bddac6c22230187ef6cf7fa22bca93759edc6f9127c41dc28a2cea19d8"
hash3 = "4dd4bd027f060f325bf6a90d01bfcf4e7751a3775ad0246beacc6eb2bad5ec6f"
os = "linux"
os_arch = "all"
report = "TIB-20240412"
scan_context = "file,memory"
last_modified = "2024-04-12T13:05Z"
license = "See license at https://github.com/volexity/threat-intel/blob/main/LICENSE.txt"
rule_id = 10429
version = 2

strings:
$stage1_str1 = "/opt/pancfg/mgmt/licenses/PA_VM"
$stage1_str2 = "exec(base64."

$stage2_str1 = "signal.signal(signal.SIGTERM,stop)"
$stage2_str2 = "exec(base64."

$stage3_str1 = "write(\"/*\"+output+\"*/\")"
$stage3_str2 = "SHELL_PATTERN"

condition:
all of ($stage1*) or
all of ($stage2*) or
all of ($stage3*)
}

2.5 mainCategory

mainCategory=Vulnerability

Initial alert on: 2024-04-12 14:01:55

2.1 External links

Palo Alto: https://security.paloaltonetworks.com/CVE-2024-3400

Censys:  https://search.censys.io/search?q=services.software.uniform_resource_identifier%3A+%60cpe%3A2.3%3Aa%3Apaloaltonetworks%3Aglobalprotect%3A%2A%3A%2A%3A%2A%3A%2A%3A%2A%3A%2A%3A%2A%3A%2A%60&resource=hosts

2.2 OCD links

World Watch: Ivanti: https://portal.cert.orangecyberdefense.com/worldwatch/839001

Vuln Intelligence Watch: ttps://portal.cert.orangecyberdefense.com/vulns/61891

Our Managed Vulnerability Intelligence [watch] clients can directly consult the advisory including all the details related to this vulnerability from this address on our Threat Defense Center portal. If you’re interested to know more about this OCD managed service, please reach us at team[AT]cert.orangecyberdefense.com, indicating you’re a World Watch beneficiary.

2.3. IOCs

n/a

2.4. Other

n/a

2.5 mainCategory

mainCategory=Vulnerability

 

You may access to this World Watch report on the Threat Defense Center Extranet portal by following the below link :
https://portal.cert.orangecyberdefense.com/worldwatch/885697.

Incident Response Hotline

Facing cyber incidents right now?

Contact our 24/7/365 world wide service incident response hotline.