PAN-OS vuln mitigation howler: “Disabling telemetry” no help
POCs for CVSS 10 bug are out of the bag, tens of thousands are exposed, and telemetry mitigation didn't work.
A mitigation from Palo Alto Networks that the company said would stymie exploitation of a critical VPN/firewall vulnerability did not work, it admitted in updated guidance – and attacks in the wild are ramping up.
CVE-2024-3400 is being increasingly widely exploited as detailed analysis and proof-of-concept exploits for the pre-authentication RCE circulate.
Early attacks are believed to have been by a nation-state actor. With POCs available, attacks have now "transitioned to widespread and opportunistic."
A security advisory first landed Friday, April 12, after Volexity identified the CVSS 10 zero day in incident response and disclosed it to the vendor. Volexity says evidence of exploitation can be found in log files on the FW in these locations: /var/log/pan/gpsvc.log /var/log/pan/md_out.log /var/log/pan/device_telemetry_send.log /var/log/syslog-system.log /var/log/pan/mp-monitor.log and has also shared YARA rules for defenders.
Disabling PAN-OS telemetry: Not helpful...
Hot fixes started landing on Monday for PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3, and in all later PAN-OS versions.
More fixes are coming. Details here.
Frustratingly for Blue Teams, early mitigation guidance from Palo Alto Networks claimed that turning off device telemetry prevented attacks and many end-users followed that as a quick fix ahead of patching.
But on Tuesday Palo Alto Networks noted that “In earlier versions of this advisory, disabling device telemetry was listed as a secondary mitigation action. Disabling device telemetry is no longer an effective mitigation.
Ramming it home, it said: “Device telemetry does not need to be enabled for PAN-OS firewalls to be exposed to attacks related to this vulnerability.”
The PAN-OS issue is a two vulnerability exploit chain, analysis now shows.
Rapid7 and WatchTowr both have detailed analyses. Attackers are using it to remotely breach Palo Alto Networks devices then move laterally in enterprise systems and steal; initial analysis by Volexity showed attackers dropping a range of custom Python backdoors and other tools.
One Shodan search by a security researcher on April 14 suggested that four days after news of the CVSS 10 vulnerability in PAN-OS broke, over 40,000 Palo Alto Network devices were still publicly exposed. Threat monitor Shadowserver puts it at over 156,000 PAN-OS instances.