Zscaler Blog

Get the latest Zscaler blog updates in your inbox

Subscribe
Security Research

Another CVE (PAN-OS Zero-Day), Another Reason to Consider Zero Trust

image
DEEPEN DESAI
April 12, 2024 - 10 min read

A Year of Critical Zero Days: Firewalls, VPNs, and more 

This past year has been, in many ways, the year of zero-day vulnerabilities for externally exposed assets — a trend that has laid bare some of the fundamental weaknesses of legacy architectures. In the past twelve months, we have witnessed back-to-back disclosures of zero-day vulnerabilities for critical assets that provide core access to the network — specifically VPNs and Firewalls. 

 

Today, CVE-2024-3400 was added to this list. This is a critical command injection vulnerability impacting Palo Alto Network’s PAN-OS software used in its GlobalProtect Gateway, which is a firewall service that facilitates VPN connectivity, among other things. The vulnerability has a CVSS score of 10.0, the maximum possible severity, because it is exploitable by an unauthenticated user. For particular PAN-OS versions and feature configurations, this flaw may allow attackers to execute arbitrary code with root privileges on the firewall. According to Palo Alto Networks, this vulnerability is being actively exploited in the wild. 

 

No individual vendor can be immune from vulnerabilities. However, what these zero-day attacks show is that legacy VPN & firewall-based architectures are vulnerable to a single point of failure, creating significant risk for organizations. One of the key differentiators of a true Zero Trust Architecture, meanwhile, is that it can dramatically reduce the attack surface of an organization. This is by making enterprises’ assets, applications, servers, devices, and more invisible to attackers — hiding them behind a cloud-proxy architecture — while entirely eliminating the need for such VPN and firewall products that are such frequent targets for attack. 

 

Attack Chain

 

Figure 1: The possible firewall-based attack chain enabled by the PAN-OS zero day vulnerability.

Figure 1: The possible firewall-based attack chain enabled by the PAN-OS zero-day vulnerability. 

 

Attack Scenario

The following attack scenario was compiled from several documented real-world execution cases against CVE-2024-3400 and represents one possible path for attackers. 

 

  • Initial Exploitation: the attackers scan for and exploit the command injection vulnerability.
  • Persistence: use Cron job to download additional tools, including UPSTYLE, a python-based backdoor, and reverse proxy tools such as GOST (GO Simple Tunnel).
  • Execution: Download and Execute commands from remote location by piping wget output to bash.
  • Lateral Movement: in at least ‌one case, attackers pivoted internally across the affected networks via SMB and WinRM.
  • Collection: the adversary attempted to obtain the domain backup DPAPI keys and targeted active directory credentials by obtaining the NTDS.DIT file. They further targeted user workstations to steal saved cookies and login data, along with users’ DPAPI keys. Next, the attacker copied configuration data from the firewall device. Additionally, Login data, cookies, and local state data for Chrome and Microsoft Edge were also compromised. This enabled the attacker to obtain the browser master key and decrypt sensitive data.
  • Exfiltration: The stolen data files were saved to an externally accessible web directory for later retrieval by the attacker.

Vendor Recommendations

Update 04/15/24: In response to this risk, Palo Alto Networks advises customers to apply hotfixes as soon as they are available. As of Apr 15, 2024, the following hotfixes are released: PAN-OS 10.2.9-h1, PAN-OS 11.0.4-h1, PAN-OS 11.1.2-h3. Customers are advised to temporarily disable device telemetry as an alternative mitigation of this vulnerability until the device is upgraded to a fixed PAN-OS version. Hotfixes for other commonly deployed maintenance versions are expected in the next 1-4 days. 

 

In response to this risk, Palo Alto Networks advises customers to temporarily disable device telemetry as an alternative mitigation of this vulnerability until the device is upgraded to a fixed PAN-OS version. Moreover, customers should monitor the network for any suspicious activity and follow security best practices.  

Affected Versions

Version

Affected Versions

PAN-OS 11.1

< 11.1.2-h3

PAN-OS 11.0

< 11.0.4-h1

PAN-OS 10.2

< 10.2.9-h1

 

 

The problem is legacy technology

The GlobalProtect vulnerability is the latest in a long line of VPN and Firewall-related security flaws. It’s April, and we have already seen critical CVEs for IvantiSonicwallFortiNet, and Cisco VPN solutions. This shows that the problem is not the vendor, but the vulnerable technology-driven legacy architecture that makes it a prime target for threat actors. VPNs were first used in 1996, a time when many of today’s complex and sophisticated cyberattacks did not exist. Traditional firewalls have been around even longer. Nearly three decades later, threat actors are still regularly finding ways to exploit these technologies.

 

These assets expose organizations to enormous risk due to the fact that:

 

  1. They are externally exposed — ‘if it's reachable, it's breachable’
  2. Their flawed architecture provides a beachhead into the corporate environments leading to lateral propagation, data exfiltration, compromising the entire environment.

 

The fundamental problem with VPNs and firewalls is they create a public-facing point of contact to the outside world. They present sophisticated threat actors an opportunity to attack your organization until they discover a way in — think zero-day vulnerabilities. They bring both your users as well as threat actors (in the event of a successful exploit) onto your network. Given the potential reward from a successful exploit, we will continue to see threat actors targeting VPNs and firewalls. 

 

Recent zero-day vulnerabilities in exposed VPNs and firewalls

 

One recent case of legacy architecture leading to zero-day exploits are the Ivanti vulnerabilities disclosed in December 2023. Multiple zero-day vulnerabilities in Ivanti’s VPN products were exploited by Chinese state-backed hackers taking advantage of flaws described in CVE-2023-46805 and CVE-2023-21887.  The adversaries used these vulnerabilities to perform authentication bypass and remote command injection. Once these flaws were patched, attackers bypassed the fixes by leveraging other vulnerabilities (CVE-2024-21888). The workarounds used to circumvent the initial patch allowed attackers to enable privilege escalation and perform server-side request forgery. 

In February 2024, CISA released another VPN-related alert about an attack on Cisco’s Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD). In this case, the Akira ransomware group exploited a vulnerability (CVE-2020-3259) to steal information by leveraging misconfigured instances of WebVPN/AnyConnect. These repeated zero day attacks on VPN show that the real issue is the outdated architecture, not the specific vendors involved.

How zero-day threats enable the four-stage attack sequence

 

Enterprises should understand that attackers target vulnerabilities in their exposed, internet-connected assets. This includes firewalls and VPNs, which are among the primary vectors used to breach organizations and steal their data. Moreover, it is not only these initial assets that expose enterprises to enormous risk — it is also the underlying network architecture, which allows attackers, once they have compromised these initial assets, to move laterally, find enterprises’ most critical applications and data stores, and steal their data. 

 

  1. Reconnaissance. Attackers scan for critical vulnerabilities in the external enterprise attack surface, including zero-day vulnerabilities in VPNs and firewalls. 
  2. Initial compromise. Threat actors exploit these VPN and firewall vulnerabilities to gain initial access to enterprises devices and the network. 
  3. Move laterally. Attackers establish persistence and move laterally across the network, scanning for high-value assets, stealing other credentials, and compromising additional systems.  
  4. Steal data. Once threat actors have compromised your critical assets and data, they will work to exfiltrate it from the network. In the case of ransomware, attackers may additionally deploy ransomware, often leveraging a domain controller, to bring down the victim’s environment. 
Figure 3. The four-stage attack sequence.

Figure 3. The four-stage attack sequence. 

 

How can enterprises reduce the impact of zero-day attacks? 

 

While it will always be essential for enterprises to patch critical vulnerabilities, the only meaningful way to stay ahead of these types of zero-day attacks is for organizations to adopt a zero trust architecture. Avoid them altogether, from a first principles perspective. Here are some fundamental zero trust principles that organizations can adopt to mitigate the risks of exposed assets like VPNs, firewalls, and more. 

 

Eliminate Your Attack Surface: Implement Zero Trust. While the term ‘zero trust’ is heavily used (and abused), it’s for good reason: zero trust principles, and their accompanying architecture, represent the only way enterprises can overcome the risks associated with legacy networks, including vulnerabilities in firewalls and VPNs. These principles are not merely buzzwords applied to legacy products (virtualized VPNs and Firewalls are not zero trust) — they are goals that require technological transformation and a cloud-first approach to accomplish. 

 

Per the NSA Zero Trust Security Model, there are three fundamental principles enterprises should adopt. 

 

  1. Never trust, always verify. Enterprises should treat every user, device, application, workload, or data flow as untrusted. Moreover, enterprises should never connect users to the underlying network, but directly to applications using a cloud-proxy architecture. 
  2. Assume a breach has happened. Particularly given the recent pace of zero day vulnerability disclosures, enterprises should operate with an assumption that threat actors have already gained persistence in their environment and defend their crown jewel applications — where their most critical data is stored — accordingly. 
  3. Verify Explicitly with least privilege access. Enterprises should allow trust only after seven layers of zero trust security, identity, and contextual attributes have been established. 

 

Figure 4. Seven layers of security enabled with a Zero Trust architecture (in this case the Zscaler Zero Trust Exchange).

Figure 4. Seven layers of security enabled with a Zero Trust architecture (in this case the Zscaler Zero Trust Exchange). 

 

In practice, a zero trust architecture is fundamentally different from those built on firewalls and VPNs. Compared to traditional, perimeter-based networking approaches, which place users on the enterprise network, a zero trust architecture enables one-to-one connectivity between requesters and resources. This could include, for instance, users connecting to applications, but it could also enable connectivity between workloads, branch locations, remote users and operational technology (OT) systems, and much more. 

 

A cloud native, proxy-based zero trust architecture like the Zscaler Zero Trust Exchange:

 

  • Minimizes the attack surface by eliminating firewalls, VPNs, and public-facing IP addresses, allowing no inbound connections, and hiding apps behind a zero trust cloud. 
  • Stops compromise by leveraging the power of the cloud to inspect all traffic, including encrypted traffic at scale, in order to enforce policies and stop threats in real-time. 
  • Eliminates lateral threat movement by connecting entities to individual IT resources instead of extending access to the entire network. 
  • Blocks data loss by enforcing policies across all potential leakage paths (including encrypted traffic), protecting data in motion, data at rest, and data in use.

 

Best practices for enterprises

In light of these recent zero-day vulnerabilities, it is imperative that enterprises employ the following best practices to fortify their organization against potential exploits:

 

  • Minimize the attack surface: make apps (and vulnerable VPNs) invisible to the internet, and impossible to compromise, ensuring an attacker can’t gain initial access.
  • Prevent initial compromise: inspect all traffic in-line to automatically stop zero-day exploits, malware, or other sophisticated threats.
  • Enforce least-privileged access: restrict permissions for users, traffic, systems, and applications using identity and context, ensuring only authorized users can access named resources.
  • Block unauthorized access: use strong multi-factor authentication (MFA) to validate user access requests. 
  • Eliminate lateral movement: connect users directly to apps, not the network, to limit the blast radius of a potential incident.
  • Shutdown compromised users and insider threats: enable inline inspection and monitoring to detect compromised users with access to your network, private applications, and data.
  • Stop data loss: inspect data in motion and data at rest to stop active data theft during an attack.
  • Deploy active defenses: leverage deception technology with decoys and perform daily threat hunting to derail and capture attacks in real time.
  • Test your security posture: get regular third-party risk assessments and conduct purple team activities to identify and harden the gaps in your security program. Request that your service providers and technology partners do the same and share the results of these reports with your security team.

 

Conclusion

Today’s zero-day vulnerability impacting Palo Alto Network’s GlobalProtect Gateway product represents yet another unfortunate milestone in a clear enterprise trend: traditional, perimeter-based approaches to security and networking face systemic, not temporary, security weaknesses that cannot be waved away with any single security patch. Of course, no vendor can be immune from software defects and vulnerabilities. However, given the back-to-back CVEs impacting firewalls, VPNs, supply chain tools, and more, it should be clear to security leaders and practitioners that zero trust security is crucial. Adopting a cloud-delivered zero trust architecture removes the attack surface created by legacy technology. Denying attackers their traditional beachheads — the vulnerabilities in VPNs, firewalls, and the like — is key for creating a more robust and secure environment.   

References

https://www.volexity.com/blog/2024/04/12/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400/

https://unit42.paloaltonetworks.com/cve-2024-3400/

 

If you are concerned about these vulnerabilities, please contact Zscaler at [email protected] for a free external attack surface assessment as well as professional consultation on how you can migrate from legacy architectures to Zero Trust. 

 

Acknowledgement for analysis: Atinderpal Singh, Will Seaton

form submtited
Thank you for reading

Was this post useful?

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.