Palo Alto firewalls: CVE-2024-3400 exploitation and PoCs for persistence after resets/upgrades

There are proof-of-concept techniques allowing attackers to achieve persistence on Palo Alto Networks firewalls after CVE-2024-3400 has been exploited, the company has confirmed on Monday, but they are “not aware at this time of any malicious attempts to use these persistence techniques in active exploitation of the vulnerability.”

“These techniques work on a device that is already compromised with interactive root level command execution,” they added.

Palo Alto firewalls persistence

The evolving situation

On April 12, Palo Alto Networks warned about limited attacks against internet-exposed firewalls, likely by a state-backed threat actor, who managed to install backdoors, grab sensitive data, and move laterally through target organizations’ networks.

It was initially thought that the attackers exploited one zero-day vulnerability, but it was later confirmed by Rapid7 that they chained together two separate vulnerabilities: “an arbitrary file creation vulnerability in the GlobalProtect web server, for which no discrete CVE has been assigned, and a command injection vulnerability in the device telemetry feature, designated as CVE-2024-3400”.

Since then, Palo Alto Networks has been updating the associated security advisory and Unit 42 Threat Brief, as well as published additional advice for mitigation and remediation.

Fixes have been made available and customers have been advised to implement them even if they implemented mitigations (i.e., the Threat Prevention updates).

On April 18, the company said that “an increasing number of attacks that leverage the exploitation of this vulnerability” have been spotted and proof of concepts for the flaw(s) have been publicly disclosed by third parties.

On April 20, they confirmed that a tech support file (TSF) should be obtained “before rebooting into a fixed version of PAN-OS” because “some logs from the prior system installation will become inaccessible on the device.” Customers were advised to send the TSF to check whether their device logs match known attempted exploits for the vulnerability.

On April 23, Unit 42 said that the vast majority of cases they responded to have either been unsuccessful attempts to exploit the vulnerability or instances of the vulnerability being tested on the device. Other cases have included “limited” configuration file exfiltration and “very limited” interactive access compromises of the targeted firewalls.

Post-exploitation persistence on Palo Alto firewalls

On April 25, Palo Alto published remediation recommendations for customers (for each level of compromise), and on April 29 they confimed that they are aware of “proof-of-concept by third parties [i.e., Nick Wilson] of post-exploit persistence techniques that survive resets and upgrades.”

There is currently no indication that these techniques are being used by the initial or other attackers. Still, state-sponsored threat actors have previously found ways to install malware that survives reboots and firmware upgrades into Ivanti VPN appliances and have apparently managed to compromise Barracuda Networks’ phyisical Email Security Gateway (ESG) appliances in a way that makes their replacement imperative.

UPDATE (May 6, 2024, 04:10 a.m. ET):

Palo Alto now advises customers to open a case through Customer Support (TAC) if they want to schedule an enhanced factory reset (EFR) procedure that does not rely on the integrity of a potentially compromised device.

“This is recommended for customers who have not applied the PAN-OS fixes or Threat Prevention signatures with vulnerability protection applied to the GlobalProtect interface (regardless of level of compromise) on or before April 25, 2024; or customers who are concerned about a persistent risk.”



Don't miss