It doesn’t happen all the time, but when a vulnerability appears in your software, it is time to jump into action to ensure users get a fix and are able to implement it as soon as possible.

The following is a timeline of events from a recent Palo Alto Networks vulnerability: On April 10, 2024 Palo Alto Networks Product Security Incident Response Team (PSIRT) learned of a suspicious exfiltration attempt at a customer site from Volexity’s Steven Adair.

The Palo Alto Networks Product Security Research Lead Christopher Ganas and Unit 42’s Threat Research Lead Kyle Wilhoit immediately investigated the issue with Volexity’s team.

They determined the suspicious traffic originated from the firewall and reflected the exploitation of a likely new Zero Day with a compromised firewall.

Gathering Experts
Additionally, over the next few hours, the PSIRT team assembled experts from across the company and took action as part of the company’s established protocols and industry best practices. They ended up performing forensic investigations to identify the root cause of the vulnerability, understand the exploited payload tactics, and determine various options to enable protections in the firewall product. Further, they explored workarounds and threat prevention signatures and determined the exact combination of configurations that made the system vulnerable to a compromise.

Schneider Bold

What they found was a command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations that may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.

CVE-2024-3400 is the case number for the vulnerability, which has a CVSS v4.0 base score of 10.0.

Within 24 hours of confirming the vulnerability, tested mitigations released that blocked the known attacks, enabling immediate protections. These mitigations ended up applied to about 90 percent of active susceptible devices.

The intricate vulnerability stemmed from a combination of two bugs in PAN-OS. In the first one, the GlobalProtect service did not sufficiently validate the session ID format before storing them. This enabled the attacker to store an empty file with the attacker’s chosen filename. The second bug (trusting that the files were system-generated) used the filenames as part of a command. While neither bug provides for significant system damage, the combination allows unauthenticated remote shell command execution.

Sophisticated Threat Actor
A highly sophisticated threat actor discovered by uniquely combining the two bugs, they could perform a two-stage attack to achieve command execution on the vulnerable device.

In stage 1, the attacker would send a carefully crafted shell command instead of a valid session ID to GlobalProtect. This results in creating an empty file on the system with an embedded command as its filename, as chosen by the attacker.

In stage 2, an unsuspecting scheduled system job that runs regularly uses the attacker-provided filename in a command. This results in the execution of the attacker-supplied command with elevated privileges.

Successful stage 1 does not necessarily mean the attacker’s command executed. Rather, it simply means the attacker created an empty file with a weird name that does not damage the firewall by itself.

A system compromise requires a successful exploitation of a command that does some damage to the system, such as exfiltrating sensitive configuration details or downloading malware.

A Threat Prevention signature with Threat ID 95187 (released on April 11) detects and blocks, with 100 percent accuracy, all known and observed suspicious patterns in session IDs. This Prevention signature released from Palo Alto networks within a day of confirming the vulnerability. Approximately 90 percent of susceptible devices already have protection.

Fix is In
The fix effectively removes the two problems in code that enabled this vulnerability to manifest. First, the session IDs end up sufficiently validated before being stored. Then, the code that enabled command injection ended up rewritten using defensive programming techniques.

Palo Alto Networks Product Security Research Team and third-party research companies, like Bishop Fox, tested the fixes and found them to be 100% effective in preventing this vulnerability.

Click here for more on the security advisory.


Pin It on Pinterest

Share This