[CVE-2024-3400] Palo Alto Networks Firewall Vulnerability Exploited in the Wild

In a startling revelation, cybersecurity firms Volexity and watchTowr have reported that a critical zero-day vulnerability in Palo Alto Networks GlobalProtect firewall devices has been actively exploited by a suspected nation-state threat actor.

The vulnerability, tracked as CVE-2024-3400, allows an unauthenticated attacker to execute arbitrary code with root privileges on affected devices.

Volexity first identified the exploitation on April 10, 2024, when it received alerts about suspicious network traffic originating from a customer's firewall. Upon investigation, it was determined that the device had been compromised.

The threat actor, dubbed UTA0218, was observed exploiting the vulnerability to create a reverse shell, download additional tools, exfiltrate configuration data, and move laterally within the victim's network.

According to Volexity, the earliest evidence of attempted exploitation dates back to March 26, 2024, suggesting that the threat actor had been testing the vulnerability before launching full-scale attacks.

The cybersecurity firm worked closely with Palo Alto Networks' Product Security Incident Response Team (PSIRT) to investigate the root cause of the compromise. Palo Alto Networks confirmed the vulnerability as an OS command injection issue and assigned it a CVSS base score of 10.0, indicating its critical severity.

watchTowr, another cybersecurity firm, also investigated the vulnerability and provided additional insights into its technical details. They discovered that the vulnerability was related to the unsafe handling of session IDs in the GlobalProtect feature.

By manipulating the session ID, an attacker could create a zero-byte file with an arbitrary name on the firewall's filesystem. Although this file itself was harmless, watchTowr found that it could be used to inject commands into a shell command executed by the firewall's telemetry functionality.

GoLang gorilla/sessions library - GO-2024-2730

HD Moore, a renowned security researcher, reported on GitHub that the vulnerability in Palo Alto Networks' GlobalProtect was linked to a directory traversal issue in the widely used"gorilla/sessions" package for the Go programming language. 

The directory traversal vulnerability in the gorilla/sessions library is now being tracked as GO-2024-2730. Users using gorilla/session with the FilesystemStore is suggested to switch to the CookieStore until a patch is released.

This vulnerability allows an authenticated user to create or overwrite any file or device with the privileges of the application when using the FilesystemStore. The issue was introduced in version 1.1 of the package and affects the "FilesystemStore.Save" and "NewFilesystemStore" symbols.

The discovery of CVE-2024-3400 and its active exploitation by a sophisticated threat actor has sent shockwaves through the cybersecurity community.

Palo Alto Networks has released an advisory that includes information about a threat protection signature and a timeline for a fix. However, organizations are strongly advised to investigate their systems and networks for potential breaches, as the presence of the vulnerability alone does not guarantee that a device has not been compromised.

Volexity and watchTowr have provided detailed technical analyses of the vulnerability and the attacker's tactics, techniques, and procedures (TTPs). They have also shared detection methods and indicators of compromise (IOCs) to help organizations identify potential breaches.

Cybersecurity firms emphasize the importance of prompt action in deploying recommended mitigations and conducting thorough compromise assessments.

As the situation continues to unfold, it is clear that CVE-2024-3400 represents a significant threat to organizations relying on Palo Alto Networks GlobalProtect firewall devices.

The combination of a critical vulnerability, active exploitation by a sophisticated threat actor, and the potential for widespread impact due to the use of a vulnerable third-party package highlights the need for swift and decisive action to mitigate the risk of further compromises.