最后更新于2024年4月29日星期一22:07:49 GMT

4月12日,周五,帕洛阿尔托网络 发表咨询意见 cve - 2024 - 3400, 在PAN-OS的几个版本中的CVSS 10零日漏洞, 在公司防火墙上运行的操作系统. 根据供应商的建议, 如果满足可利用性的条件, the vulnerability may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Patches are available for some versions 从4月14日星期日开始, 2024.

注意: 最初, Palo Alto Networks's 咨询 indicated that customers were only vulnerable if they were using PAN-OS 10.2、pan-os.0和/或PAN-OS 11.1 firewalls with the configurations for both GlobalProtect gateway (or GlobalProtect portal) 启用设备遥测. As of Tuesday, April 16, 咨询 has been updated to say, "Device telemetry need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability."

帕洛阿尔托网络公司 咨询 indicates that CVE-2024-3400 has been 利用 in the wild in “a limited number of attacks.” The company has given the vulnerability their highest urgency rating. 帕洛阿尔托网络公司 发布深度博客 on the scope of the attack, indicators of compromise, 和 adversary behavior observations. 我们强烈建议大家回顾一下. Security firm Volexity, who discovered the zero-day vulnerability, also has 这里有一个博客 with extensive analysis, indicators of compromise, 和 observed attacker behavior.

缓解指导

CVE-2024-3400 was unpatched at time of disclosure, but patches are available for 某些版本的PAN-OS 从4月14日星期日开始. CVE-2024-3400 affects the following versions of PAN-OS when GlobalProtect (gateway or portal) is enabled:

  • PAN-OS 11.1(11前).1.2-h3)
  • PAN-OS 11.0(11前).0.4-h1)
  • PAN-OS 10.2(10前).2.7- 8小时,10点之前.2.8-h3, 10点之前.2.9-h1)
  • 已添加其他版本 咨询 自首次发表以来

The vendor has updated their 咨询 as of April 16 to note that device telemetry need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability. 帕洛阿尔托网络公司 Cloud NGFW 和 Prisma Access solutions are not affected; nor are earlier versions of PAN-OS (10.1, 10.0, 9.1和9.0).

重要的是: 帕洛阿尔托网络公司一直在不断更新他们的建议, which now has an extensive list of affected versions 和 when fixes are expected. For additional information 和 the latest remediation guidance, please 参考供应商的建议 作为真理的源泉.

CVE-2024-3400的补丁于4月14日周日发布. Rapid7建议立即应用供应商提供的补丁, 无需等待典型的补丁周期发生. If you are unable to patch, 应用 one of the below vendor-provided mitigations:

  • Customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 95187 (introduced in Applications 和 Threats content version 8833-8682). 除了启用威胁ID 95187之外, customers should ensure vulnerability protection has been applied to their GlobalProtect interface to prevent exploitation of this issue on their device. 更多信息请点击这里.
  • 注意: While disabling device telemetry was initially mentioned as a temporary workaround, 帕洛阿尔托网络公司 said as of April 16 that disabling device telemetry is no longer an effective mitigation.

帕洛阿尔托网络公司 知识库文章在这里 以及他们推荐的修复步骤 利用 设备. 我们还建议审查妥协的指标 帕洛阿尔托网络的博客Volexity的博客.

Rapid7客户

Authenticated vulnerability checks are available to InsightVM 和 Nexpose customers as of the Friday, 4月12日内容发布. Since the vendor added more vulnerable versions to their 咨询 after it was originally published, 我们的工程团队已经更新了我们的漏洞检查 4月17日星期三 content release to be able to detect additional vulnerable versions of PAN-OS.

根据 供应商咨询, organizations that are running vulnerable firewalls 和 are concerned about potential exploitation in their environments can open a support case with Palo Alto Networks to determine if their device logs match known indicators of compromise (IoCs) for this vulnerability.

InsightIDR 和 管理检测和响应 customers have existing detection coverage through Rapid7's expansive library of detection rules. Rapid7 recommends installing the Insight Agent on all applicable hosts to ensure visibility into suspicious processes 和 proper detection coverage. Below is a non-exhaustive list of detections that are deployed 和 will alert on post-exploitation behavior related to this zero-day vulnerability:

  • 攻击者技术- NTDS文件访问
  • 攻击者技术:在非标准位置重命名AnyDesk二进制文件
  • 攻击者技术:在非标准位置重命名EWSProxy
  • Attacker Technique: Renamed AvastBrowserUpdate in Non-St和ard Location
  • 攻击者工具-未知的原始文件复制工具,用于凭证转储
  • 凭据访问-使用Esenutil复制凭据文件
  • Suspicious Process: A Single Character Executable in Root Intel 导演y
  • 可疑进程- Avast可执行文件不在程序文件目录

更新

2024年4月12日星期五: 更新 链接到Volexity 关于野外剥削的博客和妥协的指示 帕洛阿尔托网络博客 关于这一事件. 更新说明虚拟机内容的可用性.

2024年4月15日星期一: 更新到注意补丁已于4月14日星期日可用. Updated to note that GlobalProtect portal is also a vulnerable configuration (in addition to GlobalProtect gateway).

2024年4月16日星期二: 增加了更多易受攻击的PAN-OS 10版本.2.X版本流 更新的供应商建议. 截至4月16日,部分版本可获得补丁,但不是所有版本. 通告上有飞行修复的预计到达时间. Rapid7 vulnerability checks will be updated on April 17 to detect newly listed vulnerable versions of PAN-OS.

2024年4月16日星期二: Updated to note that disabling device telemetry is no longer considered an effective mitigation; 帕洛阿尔托网络公司 now indicated that "device telemetry 不 need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability."

2024年4月17日星期三: 对于InsightVM和expose客户, vulnerability checks have been updated to detect additional vulnerable versions of PAN-OS. 看到 供应商咨询 查阅最新资料.

2024年4月22日星期一: Added list of (non-exhaustive) detection rules alerting for InsightIDR 和 Rapid7 耐多药 customers.

2024年4月29日星期一: 新增链接至 帕洛阿尔托网络知识库文章 with recommendations on remediating 利用 设备 at different levels of compromise the vendor has defined.