Identify, Respond, & Protect - Defending yourself from the newly disclosed Palo Alto PAN-OS CVE
April 25, 2024 | 3 min read
Joel Molinoff
Global Head of Supply Chain Defense
How you can quickly identify and mitigate against threat actors who are actively exploiting it.
On April 12th, Palo Alto disclosed a vulnerability with a maximum severity rating for the PAN-OS Global Protect Gateway. There was clear evidence that the vulnerability was being actively exploited as early as March 26th. When exploited, this vulnerability enables an unauthenticated attacker to execute arbitrary code with root privileges on the firewall. Palo Alto expected patches to be released for tested mitigations to block known attacks on April 14th. On April 15th, Palo Alto Networks released two emergency hotfixes to address the vulnerability within impacted versions of PAN-OS software, however those were later deemed ineffective.
In these situations, it is critical to follow vendor advisories as they are announced to ensure proper remediation. New discoveries, ineffective patches, or inefficiencies in initial recommendations are typical when novel vulnerabilities are identified. BlueVoyant closely monitors incidents like this for our clients—for their systems as well as their vendor/supplier systems. When these vulnerabilities are announced, cyber attackers develop exploits almost immediately. This creates a race condition that requires quick mitigation/remediation to defend your organizations’ network and extended supply chain from being compromised.
Within fifty-five minutes of the Palo Alto vulnerability announcement, BlueVoyant’s Risk Operations Center (ROC) began notifying clients of their impacted vendors. Ninety-three percent of clients had one or more vendors impacted by the vulnerability, which equated to 2,604 impacted vendors.
This quick analysis and alerting, supported by the ROC’s interaction with vendors on behalf of our clients, gives companies the ability to identify and respond to zero-days affecting vendors critical to their operations. As patching information was released or updated, BlueVoyant continued to provide immediate critical guidance to customers, adjusting our own detection logic as necessary.
BlueVoyant SCD CVE Response
BlueVoyant Supply Chain Defense (SCD) rapidly identifies instances of emerging vulnerabilities across an organization’s entire third-party attack surface, and with the support of expert analysts in our ROC, collaborates directly with supply chain vendors to ensure mitigations have taken place.
At the time of notification for the Palo Alto zero-day, there was no patch available. However, given the nature of the exploit it was best to assume compromise. While it is possible to verify compromise externally in some cases, it is not possible to rule out compromise.
To identify the extent of our clients’ supply chain cyber risk exposure, we used our own external method of directly assessing customer infrastructure to determine the existence of vulnerable Palo Alto versions. Once we attained the necessary details to achieve the high levels of accuracy demanded, ROC analysts immediately started messaging clients on affected assets, how to mitigate the vulnerability, and subsequent follow up actions.
Moving Forward
BlueVoyant's data indicates that threat actors continue to capitalize on published zero-day vulnerabilities with unprecedented speed. It is vital that organizations quickly identify each impacted asset across their own network as well as their vendor network and remediate the vulnerability immediately. This action will significantly reduce the likelihood of systems being exploited, mitigating the impact a vulnerable vendor could have on your own organizations’ operations.
The delay in the recognition of the vulnerability and lack of immediate remediation, coupled with the wide-ranging potential to exploit the Palo Alto vulnerability suggests that the consequences of this attack may continue to be felt in the months and years ahead.
CISA continues to emphasize the importance of timely patching, as do most cybersecurity defenders. Building upon the CISA report from 2022, of the most exploited vulnerabilities, more than half of the most frequently exploited vulnerabilities continue to originate from previous years. As the frequency of new zero-day vulnerabilities grows, it is crucial to understand their association with older software versions linked to existing CVEs. Immediate mitigation by organizations can prevent further vulnerabilities associated with the same or older software versions.
Organizations aiming to reduce the damage in the interim period between when critical vendor or supplier assets are exposed and potentially exploited should consider investing in the continuous monitoring of their extended supply chain ecosystem. BlueVoyant's SCD assists with this by rapidly identifying an organization's total cyber risk exposure and providing continuous monitoring for new and emerging threats.