Newsroom

C1SOC Advisory: Unauthenticated Remote Shell Command Execution Vulnerability CVE-2024-3400 in PAN-OS

Businessman using digital tablet and icon network connection data information with growth graph, digital marketing, banking and payment online, analysis and planning of business.

Palo Alto Networks has disclosed a critical security vulnerabilities in PAN-OS that is actively being exploited by malicious actors. This threat advisory aims to provide comprehensive information on the issue and necessary actions to mitigate risks.

Description of Vulnerability

The vulnerability, tracked as CVE-2024-3400, is a combination of two bugs in PAN-OS versions 10.2, 11.0, and 11.1, allowing unauthenticated remote shell command execution.

Attack Details 

The threat actor, UTA0218, conducted a two-stage attack named Operation MidnightEclipse, exploiting PAN-OS flaw for command execution on vulnerable devices.

Exploitation Techniques

Specially crafted requests containing commands are sent to devices, leveraging a backdoor named UPSTYLE. The attacker uses cron jobs and wget to execute commands and download malicious tools.

Scope of Impact

Approximately 22,542 internet-exposed firewall devices are vulnerable globally, with the majority located in the U.S., Japan, India, Germany, the U.K., Canada, Australia, France, and China.

Patch and Mitigation

Palo Alto Networks has released patches for affected PAN-OS versions. Users are strongly advised to apply hotfixes immediately to prevent exploitation.

Recommendation 

  • Apply hotfixes for PAN-OS versions 10.2, 11.0, and 11.1.
  • Monitor for suspicious activity, especially unauthorized commands and file creation.
  • Implement network segmentation and access controls to limit exposure.

References

Contact Us

If you have any questions or require further information on any other cybersecurity matters, please don’t hesitate to contact our dedicated team at socsupport@c1soc.com.

If you want to see more about the SOC service we offer, please follow this link https://c1soc.com

To ask a question, go to our support portal, CYBER1 SOC Customer Support