Tuesday, June 18, 2024

HomeCyberSecurityPalo Alto Networks fixes maximum severity, exploited CVE in firewalls

Palo Alto Networks fixes maximum severity, exploited CVE in firewalls

Dive Brief:

  • Palo Alto Networks released patches for an actively exploited zero-day vulnerability in its PAN-OS operating system, which runs some of the security vendor’s firewalls. The company disclosed the vulnerability on Friday and issued initial patches on Sunday, according to a security advisory.
  • The command injection vulnerability, CVE-2024-3400, allows an unauthenticated attacker to execute arbitrary code with root privileges, Palo Alto Networks’ Unit 42 said Friday in a threat brief. Palo Alto Networks assigned the vulnerability a CVSS score of 10, the maximum severity of a vulnerability.
  • The company said it’s “aware of a limited number of attacks that leverage the exploitation of this vulnerability.” Threat intelligence firm Volexity, which initially discovered the zero-day exploits on April 10, later determined successful exploitation across multiple customer environments began as early as March 26. 

Dive Insight:

The vulnerability, which was already exploited for at least two weeks prior to Volexity’s discovery, affects some PAN-OS firewalls configured with the GlobalProtect gateway or portal and device telemetry.

After exploitation, the attacker established persistence and executed a variety of commands on the compromised device, according to Volexity. In one instance, the attacker used a highly privileged service account on the Palo Alto Networks firewall device to pivot into the internal network, where they targeted the Active Directory database, key data and Windows event logs.

“The attacker also stole login data, cookies and local state data for Chrome and Microsoft Edge from specific targets,” Volexity researchers said. “With this data, the attacker was able to grab the browser master key and decrypt sensitive data, such as stored credentials.”

The Cybersecurity and Infrastructure Security Agency added CVE-2024-3400 to its known exploited vulnerabilities catalog on Friday.

Palo Alto Networks attributed the zero-day exploits to a group it identifies as Operation MidnightEclipse, but the company warned that additional attackers may also attempt to exploit the vulnerability. Palo Alto Networks did not respond to a request for comment.

It is highly likely a nation state is backing the group “based on the resources required to develop and exploit a vulnerability of this nature, the type of victims targeted by this actor, and the capabilities displayed to install the Python backdoor and further access victim networks,” Volexity researchers said.

The exploits and resulting exposure marks yet another string of attacks targeting network devices and security hardware in enterprise environments. Financially-motivated and nation-state linked attackers widely exploited vulnerabilities in devices sold by Citrix, Ivanti and Barracuda during the last year.

Source link

Bookmark (0)
ClosePlease login
- Advertisment -spot_img

Most Popular

Sponsored Business

- Advertisment -spot_img