The Palo Alto Networks PAN-OS software has a critical command injection vulnerability that allows an unauthorized attacker to run arbitrary code on the firewall with root access. 

The vulnerability is identified as CVE-2024-3400, with a CVSS score of 10.0. Operation MidnightEclipse has been coined to describe its exploit.

Palo Alto Networks confirmed targeted attacks using this vulnerability last Friday in an alert, crediting a threat actor for known exploitation and noting the possibility of further exploitation by threat actors.

Only PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 firewalls are configured with device telemetry enabled, and either the GlobalProtect gateway or GlobalProtect portal (or both) are affected by this issue. 

Prisma Access, Panorama appliances, and cloud firewalls (Cloud NGFW) are unaffected by this flaw. 

How Attackers Exploited The Flaw?

Using the vulnerability, the attackers set up a cron job that retrieves commands hosted on an external server once every minute.

The bash shell is then used to carry out these commands. Palo Alto said the URL is believed to be a delivery system for a firewall backdoor running on Python.

The embedded backdoor component that carries out the threat actor’s directives is decoded and operated by another Python script that is written and launched by the Python file.

The threat actor was observed to be remotely exploiting the firewall to download more tooling, establish a reverse shell, change course into internal networks, and eventually steal data.

Palo Alto Networks released a hotfix to address command injection vulnerability in its custom operating system.

The attack was probably the result of a state-sponsored threat actor’s campaign, which security experts discovered began in March.

According to the threat intelligence firm that discovered it, Volexity tracks a threat actor named UTA0218 that started taking advantage of the zero-day vulnerability on March 26. 

Based on the resources needed to find and exploit the zero-day, the type of victims targeted, and the complexity of a Python-coded backdoor the threat actors placed to gain additional access to victim networks, Volexity attributes the attack to a government.

According to Volexity, zero-day exploitation appears to be targeted and restricted. However, as of this writing, “evidence of potential reconnaissance activity involving more widespread exploitation aimed at identifying vulnerable systems does appear to have occurred at the time of writing.”

Volexity discovered proof that after the intrusions, the attackers switched to internal networks.

The Active Directory database, as well as browser data from Microsoft Edge and Google Chrome, were among the critical Windows files that the threat actors targeted.

Hotfixes Released

The issue is fixed in hotfix releases of PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and all later PAN-OS versions. 

Additionally, the company said that the hotfixes for commonly deployed maintenance releases will be made available.

Palo Alto Networks advises users to watch for unusual behavior on their networks and investigate any sudden activity.

Looking to Safeguard Your Company from Advanced Cyber Threats? Deploy TrustNet to Your Radar ASAP.