Tag Archive for: Palo

Palo Alto’s Unit 42 team reveals new wave of PAN-OS firewall hack attempts

/in


PAN-OS firewalls are facing an “increasing number of attacks”, though so far, signs of active command execution are rare.

Palo Alto’s PAN-OS firewalls are coming under increasing attack following the company’s disclosure of a command injection vulnerability on 12 April.

A few days later, the Australian Signals Directorate’s Australian Cyber Security Centre circulated a critical alert over the vulnerability, warning Australian organisations using Palo Alto’s firewalls to “act now” to mitigate the vulnerability, while Palo Alto said it was working on a hotfix.

Now, Palo Alto’s Unit 42 has shared more details of how the vulnerability – CVE-2024-3400, which could allow a threat actor to run arbitrary code on affected PAN-OS firewalls – is being actively exploited.

The big brains at Unit 42 have broken down the exploitation attempts into four discrete groups.

At level zero, we have threat actors simply probing customer networks and failing to make any kind of access. Unit 42 expected these attempts to have “little to no immediate impact” on organisations, and simply applying the available hotfix should remedy the situation.

Unit 42 rates level one as threat actors actively testing the vulnerability. In this case, “a zero-byte file has been created and is resident on the firewall. However, there is no indication of any known unauthorised command execution.”

Again, applying Palo Alto’s hotfix should do the trick.

In both cases, Unit 42 believes resetting the impacted device is unnecessary, as there is no indication of active compromise or data exfiltration.

At level two, however, Unit 42 is beginning to see “potential exfiltration” of data.

“A file on the device has been copied to a location accessible via a web request, though the file may or may not have been subsequently downloaded,” Unit 42 said in a blog post. “Typically, the file we have observed being copied is running_config.xml.”

Unit 42’s advice in this case is to both install the hotfix and perform a private data reset.

“Private data reset clears all logs and reverts the configuration to factory defaults,” Unit 42 said. “The system will restart…

Source…

Exploitation of vulnerability affecting Palo Alto… – NCSC.GOV.UK – National Cyber Security Centre

/in



Exploitation of vulnerability affecting Palo Alto… – NCSC.GOV.UK  National Cyber Security Centre

Source…

Palo Alto Networks Discloses Exploitation Of ‘Critical’ Zero-Day Flaw Impacting PAN-OS

/in


The company says that exploits of the vulnerability have been ‘limited’ so far.


Palo Alto Networks disclosed Friday that a “critical” zero-day vulnerability affecting several versions of its PAN-OS firewall software has seen exploitation in attacks.

In an advisory, the cybersecurity giant said it is “aware of a limited number of attacks that leverage the exploitation of this vulnerability.”

[Related: Fortinet Discloses Vulnerabilities In FortiOS, FortiProxy, FortiClient Linux And Mac]

Exploits of the flaw “may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall,” Palo Alto Networks said in the advisory.

The vendor said the vulnerability (tracked at CVE-2024-3400) has been rated as a “critical” severity issue. Patches are not yet available but are expected to be released by this coming Sunday, April 14.

Palo Alto Networks provided several recommended workarounds and mitigations for the issue, including temporarily disabling firewall telemetry.

In a statement provided to CRN Friday, Palo Alto Networks said that “upon notification of the vulnerability, we immediately provided mitigations and will provide a permanent fix shortly.”

“We are actively notifying customers and strongly encourage them to implement the mitigations and hotfix as soon as possible,” the company said.

The vulnerability was found in the GlobalProtect feature in PAN-OS firewalls, the company said. The flaw affects the PAN-OS 10.2, PAN-OS 11.0 and PAN-OS 11.1 versions of the firewall software.

“Cloud NGFW, Panorama appliances, and Prisma Access are not impacted by this vulnerability,” the company said. “All other versions of PAN-OS are also not impacted.”

Palo Alto Networks credited researchers at cybersecurity firm Volexity for discovering the vulnerability. In December, Volexity researchers discovered vulnerabilities affecting Ivanti Connect Secure VPN devices, which went on to see mass exploitation by threat actors.

Source…

Attackers exploit critical zero-day flaw in Palo Alto Networks firewalls

/in


“This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls with the configurations for both GlobalProtect gateway and device telemetry enabled,” the company said in its advisory.

Customers can check if they have the GlobalProtect gateway configured under the Network > GlobalProtect > Gateways menu in the firewall’s web interface. The telemetry feature can be checked under Device > Setup > Telemetry.

Mitigating Palo Alto Networks Pan-OS

The company plans to release software hotfixes for PAN-OS 10.2, PAN-OS 11.0 and PAN-OS 11.1 to address the flaw on April 14. These patches will be numbered 10.2.9-h1, 11.0.4-h1 and 11.1.2-h3. Older PAN-OS releases are not impacted and neither are the Cloud NGFW or Prisma Access and Panorama appliances.

Source…