Palo Alto Networks Warns About Critical Zero-Day in PAN-OS
Palo Alto Networks has alerted users to a zero-day vulnerability in its PAN-OS software, specifically affecting its GlobalProtect gateways. The flaw is a command injection vulnerability with the identifier CVE-2024-3400, carrying a severity score of 10.0.
Affected PAN-OS versions include:
- PAN-OS < 11.1.2-h3
- PAN-OS < 11.0.4-h1
- PAN-OS < 10.2.9-h1
Exploitation of this vulnerability requires specific configurations for both GlobalProtect gateway and device telemetry. Although there are limited active exploitation instances, Palo Alto Networks has recommended mitigation steps, such as applying a vulnerability protection security profile and enabling Threat ID 95187 for customers with a Threat Prevention subscription.
Analysis from our SOC team
As indicated in the article, the CVE-2024-3400 with a CVSS score of 10.0 is being exploited in the wild, even if it is limited for the moment, exploitation could be extended in the future as described in this article. Palo Alto Networks also described mitigations steps above if your are not able to upgrade your systems.
It is recommended to upgrade the following affected version:
PAN-OS 11.1 ==> 11.1.2-h3
PAN-OS 11.0 ==> 11.0.4-h1
PAN-OS 10.2 ==> 10.2.9-h1
Approach SOC team can assist you in the event of an incident or suspected compromise.
A critical flaw in PuTTY SSH and Telnet client versions 0.68 to 0.80, designated as CVE-2024-31497, poses a serious risk to private key security. The vulnerability allows attackers to recover NIST P-521 private keys, compromising the integrity of secure connections.
Attackers, armed with a handful of signed messages and the public key, can exploit this flaw to recover private keys, enabling them to forge signatures and potentially gain unauthorized access to servers.
Affected products include PuTTY-based applications like FileZilla, WinSCP, TortoiseGit, and TortoiseSVN within specified version ranges. Mitigations include updating to patched versions of affected software or configuring TortoiseSVN to use the latest PuTTY release until a fix is available.
Analysis from our SOC team
The article do not indicate if the CVE-2024-31497 is being actively exploited but with the publication of the CVE it will bring the attention of threat actors
In response to the issue, updates have been released for PuTTY (version 0.81), FileZilla (version 3.67.0), WinSCP (version 6.3.3), and TortoiseGit (version 2.15.0.1).
Users are urged to revoke compromised keys from all relevant platforms to mitigate risks associated with the vulnerability.
Cisco Talos has issued a cautionary alert regarding a significant uptick in brute-force attacks directed at VPN services, SSH services, and web application authentication interfaces.
These attacks involve the use of common and valid usernames in attempts to gain initial access to targeted environments. Notably, the targets of these assaults seem to be random and widespread, affecting various industries and geographic locations.
Organizations using Cisco Secure Firewall VPN devices and technologies from several other vendors, including Checkpoint VPN, Fortinet VPN, SonicWall VPN, Mikrotik, and Draytek, are among those impacted. Successful attacks of this nature could result in unauthorized network access, account lockouts, or denial-of-service conditions, depending on the target environment.
The recent wave of assaults aligns with the growing interest among threat actors in exploiting vulnerabilities in VPNs and other remote access technologies used by organizations.
A study revealed a staggering 875% increase in discovered vulnerabilities in VPN products between 2020 and 2024.
Analysis from our SOC team
This surge in attacks underscores the critical need for organizations to remain vigilant and implement robust security measures to defend against evolving threats targeting their VPN infrastructure.
It’s advised for organizations to focus on implementing robust password policies or exploring passwordless authentication mechanisms to safeguard access to their networks.
Also, enabling logging on devices, secure default remote access VPN profiles, and implement measures to block connection attempts from malicious sources could prevent potential compromise.
Approach SOC team can assist you in the event of an incident or suspected compromise.
Ivanti Avalanche, an enterprise mobile device management system, faces a critical security threat with the discovery of two heap overflow vulnerabilities, designated as CVE-2024-24996 and CVE-2024-29204. These vulnerabilities, rated at a severity level of 9.8 according to the Common Vulnerability Scoring System (CVSS), could potentially result in remote code execution (RCE).
Successful exploitation of these vulnerabilities could allow unauthenticated remote attackers to execute arbitrary commands, posing severe risks to affected systems.
It’s crucial to note that while updating to the latest version may prevent future exploitation, it does not address any historical compromise that may have already occurred. Organizations are encouraged to remain vigilant and report any incidents via the provided incident reporting link.
This advisory underscores the critical importance of promptly applying patches and implementing robust security measures to mitigate the risks posed by these vulnerabilities in Ivanti Avalanche <6.4.3.
Analysis from our SOC team
There have been no reported exploits of these vulnerabilities yet, their potential impact on systems necessitates immediate action.
The CVE-2024-24996 affects the WLInfoRailService component, while CVE-2024-29204 affects the WLAvalancheService component of the affected software
The latest v6.4.3 update from Ivanti addresses a total of twenty-five vulnerabilities, including these critical ones.
It’s advised to organizations to prioritize the installation of updates for vulnerable devices and conduct thorough testing before deployment. Additionally, organizations are urged to enhance monitoring and detection capabilities to swiftly identify any suspicious activities and respond effectively in case of intrusion.
