04/13/2024 | News release | Distributed by Public on 04/13/2024 17:59
Zscaler Blog
Get the latest Zscaler blog updates in your inbox
SubscribeContents
A Year of Critical Zero Days: Firewalls, VPNs, and more
This past year has been, in many ways, the year of zero-day vulnerabilities for externally exposed assets - a trend that has laid bare some of the fundamental weaknesses of legacy architectures. In the past twelve months, we have witnessed back-to-back disclosures of zero-day vulnerabilities for critical assets that provide core access to the network - specifically VPNs and Firewalls.
Today, CVE-2024-3400was added to this list. This is a critical command injection vulnerability impacting Palo Alto Network's PAN-OS software used in its GlobalProtect Gateway, which is a firewall service that facilitates VPN connectivity, among other things. The vulnerability has a CVSS score of 10.0, the maximum possible severity, because it is exploitable by an unauthenticated user. For particular PAN-OS versions and feature configurations, this flaw may allow attackers to execute arbitrary code with root privileges on the firewall. According to Palo Alto Networks, this vulnerability is being actively exploited in the wild.
Figure 1: The possible firewall-based attack chain enabled by the PAN-OS zero-day vulnerability.
The following attack scenario was compiled from several documented real-world execution cases against CVE-2024-3400 and represents one possible path for attackers.
In response to this risk, Palo Alto Networks advisescustomers to temporarily disable device telemetry as an alternative mitigation of this vulnerability until the device is upgraded to a fixed PAN-OS version. Moreover, customers should monitor the network for any suspicious activity and follow security best practices.
Version |
Affected Versions |
PAN-OS 11.1 |
< 11.1.2-h3 |
PAN-OS 11.0 |
< 11.0.4-h1 |
PAN-OS 10.2 |
< 10.2.9-h1 |
The GlobalProtect vulnerability is the latest in a long line of VPN and Firewall-related security flaws. It's April, and we have already seen critical CVEs for Ivanti, Sonicwall, FortiNet, and CiscoVPN solutions. This shows that the problem is not the vendor, but the vulnerable technology-driven legacy architecture that makes it a prime target for threat actors. VPNs were first used in 1996, a time when many of today's complex and sophisticated cyberattacks did not exist. Traditional firewalls have been around even longer. Nearly three decades later, threat actors are still regularly finding ways to exploit these technologies.
These assets expose organizations to enormous risk due to the fact that:
The fundamental problem with VPNs and firewalls is they create a public-facing point of contact to the outside world. They present sophisticated threat actors an opportunity to attack your organization until they discover a way in - think zero-day vulnerabilities. They bring both your users as well as threat actors (in the event of a successful exploit) onto your network. Given the potential reward from a successful exploit, we will continue to see threat actors targeting VPNs and firewalls.
One recent case of legacy architecture leading to zero-day exploits are the Ivanti vulnerabilities disclosed in December 2023. Multiple zero-day vulnerabilities in Ivanti's VPN products were exploited by Chinese state-backed hackers taking advantage of flaws described in CVE-2023-46805and CVE-2023-21887. The adversaries used these vulnerabilities to perform authentication bypass and remote command injection. Once these flaws were patched, attackers bypassed the fixes by leveraging other vulnerabilities (CVE-2024-21888). The workarounds used to circumvent the initial patch allowed attackers to enable privilege escalation and perform server-side request forgery.
In February 2024, CISAreleased another VPN-related alert about an attack on Cisco's Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD). In this case, the Akira ransomware group exploited a vulnerability (CVE-2020-3259) to steal information by leveraging misconfigured instances of WebVPN/AnyConnect. These repeated zero day attacks on VPN show that the real issue is the outdated architecture, not the specific vendors involved.
Enterprises should understand that attackers target vulnerabilities in their exposed, internet-connected assets. This includes firewalls and VPNs, which are among the primary vectors used to breach organizations and steal their data. Moreover, it is not only these initial assets that expose enterprises to enormous risk - it is also the underlying network architecture, which allows attackers, once they have compromised these initial assets, to move laterally, find enterprises' most critical applications and data stores, and steal their data.
Figure 3. The four-stage attack sequence.
While it will always be essential for enterprises to patch critical vulnerabilities, the only meaningful way to stay ahead of these types of zero-day attacks is for organizations to adopt a zero trust architecture. Avoid them altogether, from a first principles perspective. Here are some fundamental zero trust principles that organizations can adopt to mitigate the risks of exposed assets like VPNs, firewalls, and more.
Eliminate Your Attack Surface: Implement Zero Trust.While the term 'zero trust' is heavily used (and abused), it's for good reason: zero trust principles, and their accompanying architecture, represent the only way enterprises can overcome the risks associated with legacy networks, including vulnerabilities in firewalls and VPNs. These principles are not merely buzzwords applied to legacy products (virtualized VPNs and Firewalls are not zero trust) - they are goals that require technological transformation and a cloud-first approach to accomplish.
Per the NSA Zero Trust Security Model, there are three fundamental principles enterprises should adopt.
Figure 4. Seven layers of security enabled with a Zero Trust architecture (in this case the Zscaler Zero Trust Exchange).
In practice, a zero trust architecture is fundamentally different from those built on firewalls and VPNs. Compared to traditional, perimeter-based networking approaches, which place users on the enterprise network, a zero trust architecture enables one-to-one connectivity between requesters and resources. This could include, for instance, users connecting to applications, but it could also enable connectivity between workloads, branch locations, remote users and operational technology (OT) systems, and much more.
A cloud native, proxy-based zero trust architecture like the Zscaler Zero Trust Exchange:
In light of these recent zero-day vulnerabilities, it is imperative that enterprises employ the following best practices to fortify their organization against potential exploits:
Today's zero-day vulnerability impacting Palo Alto Network's GlobalProtect Gateway product represents yet another unfortunate milestone in a clear enterprise trend: traditional, perimeter-based approaches to security and networking face systemic, not temporary, security weaknesses that cannot be waved away with any single security patch. Given the back-to-back CVEs impacting firewalls, VPNs, supply chain tools, and more, it should be clear to security leaders and practitioners that zero trust security is crucial. Adopting a cloud-delivered zero trust architecture removes the attack surface created by legacy technology. Denying attackers their traditional beachheads - the vulnerabilities in VPNs, firewalls, and the like - is key for creating a more robust and secure environment.
https://unit42.paloaltonetworks.com/cve-2024-3400/
If you are concerned about these vulnerabilities, please contact Zscaler at [email protected]for a free external attack surface assessment as well as professional consultation on how you can migrate from legacy architectures to Zero Trust.
Acknowledgement for analysis: Atinderpal Singh, Will Seaton
By submitting the form, you are agreeing to our privacy policy.