Palo Alto Firewalls: Increased attacks and emergence of proofs-of-concept
Proof-of-concept exploits have emerged for the root access vulnerability in Palo Alto Networks firewalls. Attacks are on the rise.
(Bild: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
Last weekend, the BSI warned of an actively exploited vulnerability in the firewalls of Palo Alto Networks and its PAN-OS operating system. Updates to close the gap are now available, but proof-of-concept exploit code has also surfaced and attacks are on the rise. Furthermore, an originally proposed countermeasure appears to be ineffective.
Palo Alto has now updatedthe security bulletin on the vulnerability in the PAN-OS operating system of the firewalls (CVE-2024-3400, CVSS 10, risk"critical"). As announced, the first updates to PAN-OS 10.2.5-h6, 10.2.6-h3, 10.2.7-h8, 10.2.8-h3, 10.2.9-h1, 11.0.2-h4, 11.0.3-h10, 11.0.4-h1, 11.1.0-h3, 11.1.1-h1 and 11.1.2-h3 (and newer in each case) are now available, which seal the security leak. IT managers should apply them immediately if they have not already done so. Palo Alto lists Prisma Access, PAN-OS 9.0, 9.1, 10.0, 10.1 and Cloud NGFW as not vulnerable.
PAN-OS vulnerability: ineffective workaround
However, further updates are still pending. PAN-OS 10.2.1-h2, 10.2.3-h13 and 11.0.1-h4 are expected to be released on Wednesday this week. On Thursday, Palo Alto plans to release PAN-OS 10.2.0-h3, 10.2.2-h5 and 11.0.0-h3, followed by PAN-OS 10.2.4-h16 on Friday. The firewalls are vulnerable if they are configured with GlobalProtect Gateway, GlobalProtect Portal or both.
As a temporary countermeasure, Palo Alto now only recommends activating threat IDs for the paid threat defence. There are currently three defence rules with threat IDs 95187, 95189 and 95191. Previously, staff had suggested disabling device telemetry as a countermeasure. However, this proved to be ineffective as telemetry does not need to be enabled for the vulnerability to be successfully exploited.
Palo Alto now also provides hints that IT managers can look for in order to recognize indications of an exploit. On the command line, output from the grep pattern command "failed to unmarshal session(.\+.\/" mp-log gpsvc.log* indicates an attack. If these appear in the form "message": "failed to unmarshal session(01234567-89ab-cdef-1234-567890abcdef)" and the values in the brackets do not look like a GUID but contain a path in the file system, this could indicate an attack on the CVE-2024-3400 vulnerability.
On Twitter, TrustedSec shows a proof-of-concept exploit in the form of a concrete HTTP get request with which the Palo Alto firewalls are attacked. In the security announcement, Palo Alto explains that the company is seeing a growing number of attacks on this vulnerability and that proofs-of-concept have been publicly released by third parties.
Palo Alto's IT analysts also provide an analysis of an attack on the website. In it, interested parties will find some clues as to how malicious actors in "Operation MidnightEclipse" infiltrated the successfully attacked devices.
(dmk)