Analysis Summary

Siemens is recommending fixes for a maximum severity zero-day flaw that Palo Alto Networks (PAN) recently reported in its next-generation firewall product be implemented by enterprises utilizing its Ruggedcom APE1808 devices configured with PAN Virtual NGFW.

When specific functionalities are enabled on PAN-OS firewalls, a command injection vulnerability known as CVE-2024-3400 affects them. On firewalls that are impacted, an attacker has been using the vulnerability to install a unique Python backdoor. Researchers found the vulnerability earlier this month and reported it to the security firm; PAN then fixed the flaw.

After learning that several entities were targeting the vulnerability, the US Cybersecurity and Infrastructure Security Agency (CISA) added CVE-2024-3400 to its list of known exploited vulnerabilities. Palo Alto Networks has acknowledged that it is seeing an increase in attacks that take advantage of CVE-2024-3400 and has issued a warning regarding the public availability of proof-of-concept code for the vulnerability.

Siemens says that the bug affects their Ruggedcom APE1808 product, which is frequently used as an edge device in industrial control environments. The vulnerability was identified by Siemens as affecting all product versions with PAN Virtual NGFW configured with either the GlobalProtect gateway, the GlobalProtect portal, or both.

Siemens stated in an advisory that it is developing fixes for the flaw and suggested certain precautions that users should take in the interim to reduce risk. One of the methods to prevent attacks that aim to exploit the vulnerability is to use particular threat IDs that PAN has made public. Siemens' advice reminded customers that the functions are already disabled by default in Ruggedcom APE1808 deployment scenarios and cited PAN's recommendation to disable the GlobalProtect gateway and GlobalProtect portal.

To defend against attacks that target the weakness, PAN initially advised enterprises to turn off device telemetry as well. Later, the security provider said such advice was worthless and retracted it. According to the company, PAN-OS firewalls can be vulnerable to attacks resulting from this vulnerability even if device telemetry is disabled.

To operate the devices in a protected IT environment, Siemens advises configuring the environment following Siemens' operational guidelines for Industrial Security. Siemens urged customers, generally speaking, to protect network access to devices in industrial control environments with appropriate mechanisms.

As of April 22, the Shadowserver Foundation, which keeps an eye on Internet traffic connected to threats, discovered 5,850 vulnerable instances of PAN's NGFW exposed and reachable via the Internet. North America seems to have about 2,360 of the susceptible instances; Asia had about 1,800 exposed instances, which was the next biggest amount.

The proportion of those vulnerable instances that are in operational technology (OT) and industrial control system (ICS) environments is unknown. However, exposure to the Internet is still a big problem in OT and ICS environments. A recent study found that around 110,000 ICS and OT systems globally are connected to the Internet. With 27% of the exposed cases, the US was in the lead. Still, that figure was a lot less than it was a few years ago. Researchers discovered a notable rise in the quantity of ICS/OT equipment exposed to the Internet in other nations, such as Spain, Italy, France, Germany, and Russia.

Impact

• Code Execution
• Unauthorized Access
• Sensitive Information Theft

Indicators of Compromise

CVE

• CVE-2024-3400

Remediation

• Refer to Siemens Security Advisory for patch, upgrade, or suggested workaround information.
• Implement multi-factor authentication to add an extra layer of security to login processes.
• Regularly monitor network activity for any unusual behavior, as this may indicate that a cyberattack is underway.
• Organizations need to stay vigilant and follow best practices for cybersecurity to protect their systems and data from potential threats. This includes regularly updating software and implementing strong access controls and monitoring tools.
• Develop a comprehensive incident response plan to respond effectively in case of a security breach or data leakage.
• Maintain regular backups of critical data and systems to ensure data recovery in case of a security incident.
• Adhere to security best practices, including the principle of least privilege, and ensure that users and applications have only the necessary permissions.
• Establish a robust patch management process to ensure that security patches are evaluated, tested, and applied promptly.
• Conduct security audits and assessments to evaluate the overall security posture of your systems and networks.
• Implement network segmentation to contain and isolate potential threats to limit their impact on critical systems.