Flash Notices

Flash Notice: UPDATE - Palo Alto Vulnerability Exploited in the Wild

Written by Marketing | Aug 13, 2024 2:48:14 PM

overview

This week, Palo Alto discovered a vulnerability within the GlobalProtect feature of Palo Alto Networks PAN-OS Software. Distinct feature configurations within specific versions of PAN-OS may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall.  

CVE-2024-3400 (CVSS 10)

The affected versions of PAN-OS are: PAN-OS 10.2, 11.0, AND 11.1. In order for an attacker to exploit this vulnerability, both GlobalProtect gateway must be enabled in the affected version of PAN-OS.  

*UPDATE (8/13/2024)*  Palo Alto has since updated their advisory to say that disabling device telemetry is no longer an effective mitigation, as device telemetry does not need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability. 

Users can verify whether you have a GlobalProtect gateway configured by checking for entries in your firewall web interface (Network > GlobalProtect > Gateways). 

Palo Alto recommends users upgrade to a fixed version of PAN-OS to protect their devices as soon as possible. The issue has been fixed in PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and all later versions.  

Palo Alto is aware of a number of attacks that exploit this vulnerability. 

 

 

avertium's recommendationS

CVE-2024-29988 – Avertium recommends reading Palo Alto’s advisory for additional mitigation guidance. 

 

 

INDICATORS OF COMPROMISE (IoCs)

type 

indicator 

FileHash-MD5 

089801d87998fa193377b9bfe98e87ff 

FileHash-MD5 

0c1554888ce9ed0da1583dbdf7b31651 

FileHash-MD5 

12b5e30c2276664e87623791085a3221 

FileHash-MD5 

427258462c745481c1ae47327182acd3 

FileHash-MD5 

5e4c623296125592256630deabdbf1d2 

FileHash-MD5 

724c8059c150b0f3d1e0f80370bcfe19 

FileHash-MD5 

87312a7173889a8a5258c68cac4817bd 

FileHash-MD5 

a43e3cf908244f85b237fdbacd8d82d5 

FileHash-MD5 

b9f5e9db9eec8d1301026c443363cf6b 

FileHash-MD5 

d31ec83a5a79451a46e980ebffb6e0e8 

FileHash-SHA1 

3ad9be0c52510cbc5d1e184e0066d14c1f394d4d 

FileHash-SHA1 

4ad043c8f37a916761b4c815bed23f036dfb7f77 

FileHash-SHA1 

5592434c40a30ed2dfdba0a86832b5f2eaaa437c 

FileHash-SHA1 

988fc0d23e6e30c2c46ccec9bbff50b7453b8ba9 

FileHash-SHA1 

a7c6f264b00d13808ceb76b3277ee5461ae1354e 

FileHash-SHA1 

d12b614e9417c4916d5c5bb6ee42c487c937c058 

FileHash-SHA1 

d7a8d8303361ffd124cb64023095da08a262cab4 

FileHash-SHA1 

e1e427c9b46064e2b483f90b13490e6ef522cc06 

FileHash-SHA1 

ef8036eb4097789577eff62f6c9580fa130e7d56 

FileHash-SHA1 

f99779a5c891553ac4d4cabf928b2121ca3d1a89 

FileHash-SHA256 

161fd76c83e557269bee39a57baa2ccbbac679f59d9adff1e1b73b0f4bb277a6 

FileHash-SHA256 

35a5f8ac03b0e3865b3177892420cb34233c55240f452f00f9004e274a85703c 

FileHash-SHA256 

3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac 

FileHash-SHA256 

448fbd7b3389fe2aa421de224d065cea7064de0869a036610e5363c931df5b7c 

FileHash-SHA256 

755f5b8bd67d226f24329dc960f59e11cb5735b930b4ed30b2df77572efb32e8 

FileHash-SHA256 

96dbec24ac64e7dd5fef6e2c26214c8fe5be3486d5c92d21d5dcb4f6c4e365b9 

FileHash-SHA256 

adba167a9df482aa991faaa0e0cde1182fb9acfbb0dc8d19148ce634608bab87 

FileHash-SHA256 

c1a0d380bf55070496b9420b970dfc5c2c4ad0a598083b9077493e8b8035f1e9 

FileHash-SHA256 

e315907415eb8cfcf3b6a4cd6602b392a3fe8ee0f79a2d51a81a928dbce950f8 

FileHash-SHA256 

fe07ca449e99827265ca95f9f56ec6543a4c5b712ed50038a9a153199e95a0b7 

URL 

http://172.233.228.93/lowdp 

URL 

http://172.233.228.93/policy 

URL 

http://172.233.228.93/vpn.log 

URL 

http://172.233.228.93/vpn_prot.gz 

FileHash-MD5 

089801d87998fa193377b9bfe98e87ff 

FileHash-MD5 

427258462c745481c1ae47327182acd3 

FileHash-SHA1 

4ad043c8f37a916761b4c815bed23f036dfb7f77 

FileHash-SHA1 

ef8036eb4097789577eff62f6c9580fa130e7d56 

FileHash-SHA256 

161fd76c83e557269bee39a57baa2ccbbac679f59d9adff1e1b73b0f4bb277a6 

FileHash-SHA256 

35a5f8ac03b0e3865b3177892420cb34233c55240f452f00f9004e274a85703c 

FileHash-SHA256 

3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac 

FileHash-SHA256 

448fbd7b3389fe2aa421de224d065cea7064de0869a036610e5363c931df5b7c 

FileHash-SHA256 

755f5b8bd67d226f24329dc960f59e11cb5735b930b4ed30b2df77572efb32e8 

FileHash-SHA256 

96dbec24ac64e7dd5fef6e2c26214c8fe5be3486d5c92d21d5dcb4f6c4e365b9 

FileHash-SHA256 

adba167a9df482aa991faaa0e0cde1182fb9acfbb0dc8d19148ce634608bab87 

FileHash-SHA256 

c1a0d380bf55070496b9420b970dfc5c2c4ad0a598083b9077493e8b8035f1e9 

FileHash-SHA256 

e315907415eb8cfcf3b6a4cd6602b392a3fe8ee0f79a2d51a81a928dbce950f8 

FileHash-SHA256 

fe07ca449e99827265ca95f9f56ec6543a4c5b712ed50038a9a153199e95a0b7 

IPv4 

137.118.185.101 

IPv4 

144.172.79.92 

IPv4 

172.233.228.93 

IPv4 

198.58.109.149 

IPv4 

23.242.208.175 

IPv4 

66.235.168.222 

IPv4 

71.9.135.100 

IPv4 

89.187.187.69 

YARA 

apt_malware_py_upstyle 

YARA 

susp_any_gost_arguments 

YARA 

susp_any_jarischf_user_path 

YARA 

hacktool_golang_reversessh_fahrj 

CVE 

CVE-2024-3400 

CVE 

CVE-2024-3400 

FileHash-MD5 

0c1554888ce9ed0da1583dbdf7b31651 

FileHash-SHA1 

988fc0d23e6e30c2c46ccec9bbff50b7453b8ba9 

FileHash-SHA256 

3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac 

FileHash-SHA256 

5460b51da26c060727d128f3b3d6415d1a4c25af6a29fef4cc6b867ad3659078 

IPv4 

144.172.79.92 

IPv4 

172.233.228.93 

IPv4 

66.235.168.222 

IPv4 

107.152.33.113 

IPv4 

146.70.87.237 

IPv4 

217.195.153.178 

IPv4 

151.236.29.58 

 

 

How Avertium is Protecting Our CUSTOMERS

  • Fusion MXDR is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts. 
  • Minimizing the impact of a successful ransomware or malware attack requires detecting it as early in the attack as possible. A Security Information and Event Management (SIEM) system can help an organization to accomplish this. Avertium offers a comprehensive SIEM-based approach that increases the potential for detecting a ransomware infection before it deploys. SIEM provides a holistic overview of a company’s IT environment from a single point of view in terms of its specific security events, empowering teams to detect and analyze unusual behavior. 
  • Note: We highly value your feedback. Kindly spare a moment to complete our feedback form, allowing us to enhance our services for our valued customers. 





 

SUPPORTING DOCUMENTATION

CVE-2024-3400 PAN-OS: OS Command Injection Vulnerability in GlobalProtect Gateway 

Palo Alto Networks Releases Guidance for Vulnerability in PAN-OS, CVE-2024-3400 

 
View full post