Palo Alto Networks patches 'critical' vulnerability under active exploitation

Volexity says a ‘spike in exploitation’ is likely

Palo Alto Networks patches ‘critical’ vulnerability under active exploitation

Image:
Palo Alto Networks patches ‘critical’ vulnerability under active exploitation

Palo Alto Networks has made patches available for addressing a maximum-severity vulnerability affecting several versions of its PAN-OS firewall software.

The cybersecurity giant, which disclosed the "critical" issue Friday, continued to say on its advisory page Monday morning that only a "limited number of attacks" exploiting the vulnerability have been observed. The flaw affects the PAN-OS 10.2, PAN-OS 11.0 and PAN-OS 11.1 versions of the firewall software.

Patches for the issue, which were not immediately available Friday, have now been released, Palo Alto Networks said in an update to its advisory.

"This issue is fixed in hotfix releases of PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1and PAN-OS 11.1.2-h3, and [will be fixed] in all later PAN-OS versions," the company said.

The patches come after more details emerged about the exploitation of the vulnerability, which was discovered by researchers at cybersecurity firm Volexity.

In a blog post, researchers at security company Volexity wrote that they believe the vulnerability was exploited as far back as 26th March, and that the attackers have sought to install a backdoor on the firewalls to enable continued execution of commands on the devices.

The researchers also said they see it as probable that the attacker — tracked by Volexity as "UTA0218" — is a state-sponsored group, though not one that is currently linkable to any prior threat activity.

"Volexity assesses that it is highly likely UTA0218 is a state-backed threat actor based on the resources required to develop and exploit a vulnerability of this nature, the type of victims targeted by this actor, and the capabilities displayed to install the Python backdoor and further access victim networks," the researchers said.

Additionally, "it is likely a spike in exploitation will be observed over the next few days by UTA0218 and potentially other threat actors who may develop exploits for this vulnerability," Volexity researchers wrote on the blog Friday.

That assessment is based on the history of public disclosures for major firewall vulnerabilities, the research team said.

Maximum-severity vulnerability

In its advisory, Palo Alto Networks said that exploits of the flaw "may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall."

The vendor said the vulnerability (tracked at CVE-2024-3400) has been judged to be a "critical" issue, with the maximum severity rating of 10.0 out of 10.0.

The vulnerability was found in the GlobalProtect feature in PAN-OS firewalls, the company said. The issue is "applicable only to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls configured with GlobalProtect gateway or GlobalProtect portal (or both) and device telemetry enabled."

The company added: "Cloud NGFW, Panorama appliances and Prisma Access are not impacted by this vulnerability."

This article first appeared on CRN