Update April 22nd, 2024
CyCognito integrated an active test for this vulnerability into our platform on April 21st, 2024 and will continue to alert customers if vulnerable assets are identified. As of April 22nd, 2024, 99.5% of CyCognito customers’ potentially vulnerable assets are confirmed as not vulnerable.
While Palo Alto Networks has not released patches for all affected versions, CyCognito has conducted active tests across all customer realms and 97.5% of CyCognito customers’ affected devices are no longer exploitable.
On April 12th, Palo Alto Networks announced threat intelligence and incident response firm Volexity’s discovery of a command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software, CVE-2024-3400. This vulnerability allows unauthenticated attackers to execute arbitrary code with root privileges on the firewall in some PAN-OS versions. In at least one case, an attacker (tracked as UTA0218) was able to leverage this vulnerability as an entry point and began moving laterally within an affected organization.
Currently, only firewall versions PAN-OS 10.2, PAN-OS 11.0, and PAN-OS 11.1 configured with GlobalProtect Gateway and/or GlobalProtect portal and that also have device telemetry enabled are affected.
Users can verify if their firewalls have been configured with a GlobalProtect gateway or GlobalProtect portal by checking for entries in the firewall web interface using Network > GlobalProtect > Gateways or Network > GlobalProtect > Portals. To check if device telemetry has been enabled, check your firewall web interface using Device > Setup > Telemetry.
While Cloud NGFW firewalls are not affected by this vulnerability, some PAN-OS versions and feature configurations of firewalls deployed in the cloud may be impacted.
Starting on April 14th, Palo Alto Networks began publishing hotfixes for CVE-2024-3400. As of April 15th, these fixes cover versions PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and later but do not cover earlier versions. Additional hotfixes for earlier versions are expected.
Palo Alto Networks has stated that they are “aware of a limited number of attacks that leverage the exploitation of this vulnerability.” Palo Alto Networks Unit42 is currently tracking this incident as Operation MidnightEclipse.
Volexity has identified one potentially state-backed threat actor – UTA0218 – exploiting this vulnerability. Organizations can anticipate a flurry of attempted exploitations as CVE-2024-3400 becomes more widely known.
As soon as this vulnerability was published, CyCognito identified potentially affected assets that were exposed to attackers. Over the weekend, affected customers received a list of externally exposed assets vulnerable to CVE-2024-3400. In addition, all customers can view an in-platform emerging security issue announcement. The CyCognito platform uses both passive scanning and active testing techniques to identify vulnerable assets.
Figure 1: The alert sent by CyCognito for CVE-2024-3200
Over 50% of CyCognito customers use at least one externally exposed Palo Alto Networks product. CyCognito found that the average customer with exposed Palo Alto Networks assets had at least 13 potentially vulnerable devices, but Fortune 100 enterprises were much more heavily exposed, with up to 150 different networks leveraging Palo Alto Networks GlobalProtect. Each of these assets likely serves a different subsidiary part of the larger corporate entity.
CVE-2024-3400 poses the greatest risk to enterprise organizations due to a greater likelihood of undermanaged or unknown affected assets in these organizations. Our previous research indicates that organizations are unaware of 10-30% of their subsidiaries before they begin managing their exposed attack surface with CyCognito. For enterprises leveraging Palo Alto Networks’ GlobalProtect product, that could leave dozens of assets undiscovered, untested, and unpatched.
Whether it’s because of unknown or under-managed assets, a lack of fix validation or inability to effectively detect a vulnerability, security issues can linger in the attack surface for months or years. When new organizations begin using CyCognito, we often find that even organizations with best-in-class security teams still have undiscovered and untested exploitable critical vulnerabilities affecting vital systems because their attack surface was never fully mapped and tested.
Although the vulnerabilities below were published over 18 months ago, CyCognito found assets that were still vulnerable to these critical issues today.
These vulnerable assets underscore how critical it is for organizations to quickly identify, prioritize and remediate severe issues – in some cases, attackers have had years of opportunities to leverage these vulnerabilities to extract data, deploy ransomware, or reach targets within the affected organization.
Relying on legacy stacks of vulnerability management combined with pen-testing and external attack surface management leaves critical exposures unmanaged and unremediated for years. When assessing whether organizations are prepared for vulnerabilities like CVE-2024-3400, consider four key exposure management metrics:
CyCognito is an exposure management platform that reduces risk by discovering, testing and prioritizing security issues. The platform scans billions of websites, cloud applications and APIs and uses advanced AI to identify the most critical risks and guide remediation. Emerging companies, government agencies and Fortune 500 organizations rely on CyCognito to secure and protect from growing threats.Want to see how it works? Check out our website and explore our platform with a self-guided, interactive dashboard product tour. To learn how CyCognito can help you understand your external attack surface and exposed risks, please visit our Contact Us page to schedule a demo.
Emma Zaballos is an avid threat researcher who is passionate about understanding and combatting cybercrime threats. Emma enjoys monitoring dark web marketplaces, profiling ransomware gangs, and using intelligence for understanding cybercrime.
Download the report now to stay ahead of emerging threats and strengthen your organization’s security posture for 2024.
Download the report to learn about the historical trends behind the emergence of exposure management, how to develop a strategic plan and assemble a team to smoothly transition frameworks, and example tech stacks to consider for your organization.
Get a free scan of your attack surface and gain valuable insight into your organization's risk posture by allowing CyCognito to discover, contextualize, and test externally exposed assets on a portion of your parent company or a single subsidiary.
Discover insights on application security, exposure management and other key topics below.
The definitive guide to attack surface management. Learn everything you need to know to reduce your cyber security risk with attack surface management.
Exposure management is a set of processes which allow organizations to assess the visibility, accessibility, and risk factors of their digital assets.
Vulnerability assessment is the process of identifying, quantifying, and prioritizing vulnerabilities in a system.
Explore CyCognito modules ASM, AST and EI in the resources below.
Scalable, continuous, and comprehensive testing for all external assets, all the time.
CyCognito Automated Security Testing dynamically applies payload-based testing techniques across your entire external attack surface.
CyCognito Exploit Intelligence uses threat intelligence about attackers’ behavior and exploitability for enhanced prioritization.