SOC Advisory – Updated Guidance – PAN OS command injection vulnerability

As you some of you may be aware, the strategies originally communicated from Palo Alto Networks (PAN) to mitigate risks associated with CVE-2024-3400 have not been entirely successful.

Secure-ISS have seen over the past 24 – 48 hour period various IOCs across PAN environments, even from environments with devices having the previously communicated mitigations in place.

Although the details from PAN on the actual compromise impacts are not substantial at this point, we are aware of the following:

1. The remote code execution works by installing scripts which watch file directories for filenames which it assumes are commands issued via the arbitary file creation exploit;
2. Where Palo Alto Networks have confirmed a device as compromised or (highly probable of compromise), the advice is to assume that all local credentials (on the device) have been compromised. This would include device management identities and Global protect identities.

Further, we could hypthosise that the following may be accomplished and accounts/ identities potentially compromised via activities including:

1. Web/ remote shells installed into the device;
2. Where webshells mimic GP landing pages, global protect user credentials may be captured and in-turn compromised;
3. Remote access could be brokered on the Dark web for devices that remain unpatched (via the exploited PANOS or a piece of code that remains undetected). There’s a known UPSTYLE Backdoor and the hosted python backdoor.
4. Data exfiltration as it relates to the configuration of the PAN device.

At this stage Secure-ISS do not believe that man in the middle style of attack have been successfully undertaken (i.e. to decrypt traffic passing through the compromised PAN devices). There is some evidence to suggest that compromised PAN devices are used as a beach head to enable lateral movement via RDP and SMB protocols into a target environment.

We would recommend that the following actions are taken to mitigate the exposure and risks associated with PAN devices. (Please see our prior advisories for impacted versions).

From a containment perspective, where PAN has confirmed or the partner suspects compromise.

(And) where a patch is not currently available nor applied:

1. Advise all GP users that they will not be able to access the environment via Global Protect until further advised.
2. Disable the PAN GP service (Gateway and Portal).
   Instructions: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClbpCAC
3. Ensure that all Global Protect user passwords are reset (regardless of whether they are a local identity or federated with a primary/ external identity provider).
4. Ensure that all local (Palo) device passwords are reset.
5. Reduce your attack surface by reducing the accessibility of the WAN interface

Where a patch has been made available:

1. Follow PAN’s advice in relation to factory resetting the device and restoring the configuration. (please note that any telemetry will be deleted post factory reset and any IR or evidence/ artifact gathering should be completed prior). We summarise these recommendations below.
2. Reset all (PAN) device account passwords.
3. Ensure that all Global Protect user passwords are reset (regardless of whether they are a local identity or federated with a primary/ external identity provider).

PAN Advice, where device is or is likely compromised:

• Isolate the appliance
• Backup Device State
• Perform Factory Reset
• Restore the Device State
• Reset all local passwords to new and secure passwords.
• Take corrective actions: Apply remediation by applying Content 8833-8682 or higher and configuring vulnerability protection to the GlobalProtect interface.
  – https://wiki.secure-iss.com/en/Public/SOC/PAN-CVE-2024-3400
  – https://live.paloaltonetworks.com/t5/globalprotect-articles/applying-vulnerability-protection-to-globalprotect-interfaces/ta-p/340184
• Install the hotfix with a patch, check
  – https://security.paloaltonetworks.com/CVE-2024-3400 for more information.
• Regenerate all the keys for the system. This includes Certificates and Master Key. A few suggested links:
  – How to Create a Master Key on the CLI (https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClsbCAC)
  – Do master keys automatically get renewed? (https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmjsCAC)
  – Certificate Management (https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/certificate-management)

In either scenario above, we would ask that, where possible and you are a current SEM customer, send Secure-ISS a list of all identities that have access to Global Protect, so that we can ensure these are monitored in a priority fashion across the next few weeks, until we have further information to hand.

In addition to the changes above, ensure that you communicate to your users (that are using Global Protect to access your environment), that they remain vigilant to potential misuse of their credentials. Further, ensure that any applicable Security Awareness training is up to date.

Access Brokerage monitoring

Secure-ISS can monitor the Darkweb for any further communications in relation to access brokerage services in relation to your environment.

Further information on this service can be found here:
https://secure-iss.com/external-threat-and-reputational-monitoring/