SASE can save your company a lot of money. Use the industry’s-first SASE ROI calculator to quantify the cost savings you can achieve in services, asset consolidation, and labor when deploying Versa SASE.
A large, publicly traded energy company operating in all areas of the oil and gas industry has dramatically simplified their network stack and realized huge cost savings with Versa SASE.
EMA evaluates the different SASE vendors and their approaches to architecture, go-to-market, and support for their cloud-delivered and hybrid services.
SASE is the simplest, most scalable way to continuously secure and connect the millions points of access in and out of the corporate resources regardless of location.
Recently Palo Alto Networks announced a critical vulnerability in their PAN-OS software used in their GlobalProtect VPN Gateway, which is a feature in the PAN-OS Firewall. The discovery and public disclosure of the vulnerability and fixes timeline is currently as follows:
Volexity first discovered the PAN-OS attack on April 10, 2024 at one of its network security monitoring (NSM) customers, and on April 11, 2024subsequently learnt that another NSM customer was compromised by the same threat actor.
Palo Alto Networks was then notified by Volexity that a zero-day vulnerability in its GlobalProtect Gateway was under active exploitation in the wild.
On April 12, Palo Alto Networks publicly disclosedthat a zero-day critical vulnerability CVE-2024-3400 in its GlobalProtect Gateway is under active exploitation by threat actors. The vulnerability was assigned a CVSS score of 10.0, indicating maximum severityi.e. critical score.
In parallel,Palo Alto Networksissued a security advisoryon CVE-2024-3400that included information regardingvulnerable configurations, workarounds and mitigations, as well as a timeline for a fix for impacted PAN-OS versions.
On April 15, Palo Alto Networks provided hotfixes for affected PAN-OS firewalls, clarified workarounds and mitigations, and advised that a software fix to PAN-OS was coming.
On April 16, Palo Alto Networks provided a new threat prevention ID to workarounds and mitigations.
On April 18, Palo Alto Networks clarified the vulnerability title and description in the advisory to “Arbitrary File Creation leads to OS Command Injection Vulnerability in GlobalProtect”.
Under active exploitation, details surrounding the PAN-OS vulnerability and configurations vulnerable to attack are frequently changing. For the most current guidance from the vendor on product and mitigation guidance, exploit status, vulnerable configurations andPAN-OS software fixes availability,customers should refer to the Palo Alto Networkssecurity advisory.
CISA has alerted users and administrators to apply the current mitigations for CVE-2024-3400 andupdate software when Palo Alto Networks makes it available. We continue to monitor the situation and will provide updates as more information is made available.
Details of the Vulnerability
Specifically, acritical command injection vulnerability (arising from arbitrary file creation) in the GlobalProtectfeature of Palo Alto Networks PAN-OS firewallsoftware PAN-OS versions 10.2, 11.0, and 11.1 and distinct feature configurations can be exploited by an unauthenticated user or attacker to execute arbitrary code with root privileges on the firewall. Command injection vulnerabilities typically occur when data enters the application from an untrusted source; further, the data is part of a string that is executed as a command by the application; and by the executing the command, the application gives an attacker a privilege or capability that the attacker would not otherwise have.
We have learnt that exploitation of this vulnerability can be automated. Palo Alto Networks initially said that this vulnerability impacts Palo Alto Networks firewalls that have the configurations for both GlobalProtect gateway (Network > GlobalProtect > Gateways) and device telemetry (Device > Setup > Telemetry) enabled.It is now clarified by the vendor that device telemetry does not need to be enabled for the software to be exposed to the attack.
Exploitation in the wild
While Palo Alto Networks has started releasing hotfixes on April 15 to secure unpatched firewalls exposed to attacks, the vulnerability has been exploited in the wild as a zero-day since March 26th to backdoor firewalls using Upstyle malware, pivot to internal networks, and steal data by a threat group believed to be state-sponsored and tracked as UTA0218.
Palo Alto Networks has also reported that they are aware of an increasing number of attacks actively exploiting this vulnerability. Proof of concepts for this vulnerability have been publicly disclosed by third parties. Threat researchers have found over 82,000 PAN-OS firewalls vulnerable to CVE-2024-34000 attacks, 40% of which were in the United States.In response to the attacks, CISA issued an alert and added CVE-2024-3400 to its Known Exploited Vulnerabilities (KEV) catalog on Friday, ordering U.S. federal agencies to secure their devices within seven days by April 19th.
In addition, over the past 5 days (from April 15 – 19), 16 unique IP addresses tagged as PALO ALTO PAN-OS CVE-2024-3400 RCE ATTEMPT have been observed attempting to exploit CVE-2024-3400 according to GreyNoise Intelligence. See list of observed IP addresses here.
Interim Guidance
In an update to their advisory on April 16, Palo Alto Networks warned that previously shared mitigations have been found to be ineffective at protecting devices from the vulnerability.
“Earlier versions of this advisory, disabling device telemetry was listed as a secondary mitigation action. Disabling device telemetry is no longer an effective mitigation,” reads an update to Palo Alto Networkssecurity advisory.
“Device telemetry does not need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability.”
Therefore, the best solution is to install the latest PAN-OS software update to fix the vulnerability.Customers should continue to monitor Palo Alto Networks security advisory for the latest updates and product guidance.
Versa Networks Protections for PAN-OS GlobalProtectVulnerability
The Security Research Team in Versa Networks plays a crucial role in protecting customers from vulnerabilities. Versa’s proactive approach in identifying, developing, and implementing detection and protection rules is vitalin blocking vulnerability exploits and helping our customers maintain strong security defenses against both known and zero-day attacks.
Versa Networks has identified the issues and added 2 SIDs (Security IDentifier) to protect customers against the PAN-OSCVE exploit andmitigateanythreats arising from exposure. The signaturesare available in our latest offering of Security Package (SPACK) version 2152:
SID (Signature Identifier)
CVE
1000019917, 1000019921
CVE-2024-3400
The signaturesare part of the Versa recommended vulnerability profile and customers will automatically get protection. Versa recommends that customers running a custom vulnerability profile select and activate the signature to get protection. Customers can visit ourSupport Center to obtain more information on SPACK 2152and follow the forum.
Versa Networks customers benefit from enhanced protection provided through our Secure Service Edge(SSE)solution. Enterprise-wide protections from zero-day attacks are provided by:
Versa Zero Trust Network Access (ZTNA) – Versa ZTNA, a cloud delivered VPN–replacementsolution, delivers Zero Trustbasedsecure remote access for employees. With this solution, remote employees can securely connect to private applications anywhere, anytime. Versa ZTNA extends to the local on-premises environments, and Zero Trustbased secureon-premises access is similarly enforced for users in the branch, campus or data center, limiting lateral movement of threats inside the network.
Versa Secure Internet Access (VSIA)with Secure Web Gateway, URL filtering and DNS security – Cloud-managed and cloud-delivered, VSIA secures enterprise sites, home offices, and traveling users accessing distributed applications and the Internet without compromising security or user experience. URL filtering with IP reputation inspects all incoming and outgoing enterprise traffic for malicious exploits and known malicious domains, including those associated with the vulnerabilities, and will block associated IOCs.
Versa Next Generation Firewall(NGFW) with IPS and AdvancedThreat Prevention – Provides comprehensive security coverage and can help to block attacks arising from the vulnerabilities via security packs and sandboxing, together with other elements within the VSIA product offering.
Versa Data Loss Prevention (DLP) – Network DLP scanning of email and inline Web, SaaS, private and Internet applications detects and prevents exfiltration of sensitive information via the network. Versa Network DLP monitors, detects and blocks illegal or unauthorized exfiltration of data while it is in motion across the network, using multiple scanning methods across many discrete content types.
Conclusion
In recent years, the cybersecurity threat landscape has evolved dramatically. We are seeing increased participation from state-sponsored threat actors, and the application of AI has only increased the level of sophistication in attacks. In this environment, legacy VPNs both standalone and available as features in legacy firewalls pose a serious threat to customer networks, as we have seen with the recent spate of critical vulnerabilities in Ivanti/Pulse Secure VPN, Citrix, and Fortinet FortiOS appliances, and now PAN-OS GlobalProtect. Below we list thecritical/severeVPN vulnerabilities that were recently disclosed:
Built on legacy architectures, these products actually increase the attack surface and provide fertile ground for hackers.Here are some architectural differences between VPN and Zero Trust-based network access that can help to explain why we are seeing so many critical zero-day vulnerabilities in VPNs:
Customers canprotect their networks by replacing legacy VPNs with a Zero Trust based approach to secure access, such as that provided by Versa ZTNA, and embrace a Secure Service Edge (SSE) architecture that consolidates security, reduces lateral movement and blind spots, and enforces least privilege access policies for maximum protection against attacks.
Indicators of Compromise (IOCs) Below is the complete list of IP and malicious files involved with their hashes: