{"id":798,"date":"2024-04-13T20:45:25","date_gmt":"2024-04-13T20:45:25","guid":{"rendered":"http:\/\/localhost:9000\/?p=798"},"modified":"2024-04-19T12:16:31","modified_gmt":"2024-04-19T12:16:31","slug":"kriticka-zranitelnost-v-softveri-palo-alto-pan-os","status":"publish","type":"post","link":"http:\/\/localhost:9000\/posts\/798","title":{"rendered":"Kritick\u00e1 zranite\u013enos\u0165 v\u00a0softv\u00e9ri Palo Alto PAN-OS"},"content":{"rendered":"\n<p><strong>Spolo\u010dnos\u0165 Palo Alto Networks vydala bezpe\u010dnostn\u00e9 aktualiz\u00e1cie, ktor\u00e9 opravuj\u00fa akt\u00edvne zneu\u017e\u00edvan\u00fa kritick\u00fa zranite\u013enosti v&nbsp;softv\u00e9ri PAN-OS. Verzie 10.2, 11.0 a 11.1 vo funkcii GlobalProtect obsahuj\u00fa zranite\u013enos\u0165, ktor\u00e1 umo\u017e\u0148uje vzdialen\u00e9 vykonanie k\u00f3du. Zranite\u013enos\u0165 je mo\u017en\u00e9 zneu\u017ei\u0165 len na firewalloch, na ktor\u00fdch je zapnut\u00e1 aspo\u0148 jedna z&nbsp;funkci\u00ed GlobalProtect Gateway alebo&nbsp;GlobalProtect Portal.<\/strong><\/p>\n\n\n\n<p><strong>Zranite\u013en\u00e9 syst\u00e9my:<\/strong><\/p>\n\n\n\n<ul>\n<li>PAN-OS 10.2 vo verzii star\u0161ej ako 10.2.0-h3, 10.2.1-h2, 10.2.2-h5, 10.2.3-h13, 10.2.4-h16, 10.2.5-h6, 10.2.6-h3, 10.2.7-h8, 10.2.8-h3, 10.2.9-h1<\/li>\n\n\n\n<li>PAN-OS 11.0 vo verzii star\u0161ej ako 11.0.0-h3, 11.0.1-h4, 11.0.2-h4, 11.0.3-h10, 11.0.4-h1<\/li>\n\n\n\n<li>PAN-OS 11.1 vo verzii star\u0161ej ako 11.1.0-h3, 11.1.1-h1, 11.1.2-h3<\/li>\n\n\n\n<li><strong>zranite\u013enos\u0165 je mo\u017en\u00e9 zneu\u017ei\u0165 len na firewalloch, na ktor\u00fdch je zapnut\u00e1 aspo\u0148 jedna z funkci\u00ed GlobalProtect Gateway alebo GlobalProtect Portal <\/strong>(pod\u013ea nov\u00fdch inform\u00e1ci\u00ed zneu\u017eitie zranite\u013enosti nevy\u017eadovalo zapnutie funkcie telemetrie ako sa p\u00f4vodne predpokladalo)<\/li>\n\n\n\n<li><strong>zariadenia Cloud NGFW, Panorama appliances a Prisma Access nie s\u00fa touto zranite\u013enos\u0165ou ovplyvnen\u00e9<\/strong><\/li>\n<\/ul>\n\n\n\n<p><strong>Opis \u010dinnosti:<\/strong><\/p>\n\n\n\n<p>CVE-2024-3400 (CVSS sk\u00f3re 10.0)<\/p>\n\n\n\n<p><strong>Kritick\u00e1 zranite\u013enos\u0165<\/strong> s&nbsp;ozna\u010den\u00edm CVE-2024-3400 sa nach\u00e1dza vo funkcii GlobalProtect, spo\u010d\u00edva v&nbsp;nespr\u00e1vnej neutraliz\u00e1cii \u0161peci\u00e1lnych prvkov v&nbsp;r\u00e1mci pr\u00edkazov a&nbsp;<strong>vzdialen\u00fd neautentifikovan\u00fd \u00fato\u010dn\u00edk<\/strong> by ju mohol zneu\u017ei\u0165 na <strong>vykonanie \u0161kodliv\u00e9ho k\u00f3du.<\/strong>&nbsp; <strong>Zranite\u013enos\u0165 je v&nbsp;s\u00fa\u010dasnosti akt\u00edvne zneu\u017e\u00edvan\u00e1 \u00fato\u010dn\u00edkmi.<\/strong><\/p>\n\n\n\n<p><strong>Z\u00e1va\u017enos\u0165 zranite\u013enosti: Kritick\u00e1<\/strong><\/p>\n\n\n\n<p><strong>Mo\u017en\u00e9 \u0161kody:<\/strong><\/p>\n\n\n\n<ul>\n<li>Vykonanie \u0161kodliv\u00e9ho k\u00f3du<\/li>\n\n\n\n<li>\u00dapln\u00e9 naru\u0161enie d\u00f4vernosti, integrity a dostupnosti syst\u00e9mu<\/li>\n<\/ul>\n\n\n\n<p><strong>Odpor\u00fa\u010dania:<\/strong><\/p>\n\n\n\n<p><strong>V\u00fdrobca odpor\u00fa\u010da bezodkladne aktualizova\u0165 zranite\u013en\u00e9 syst\u00e9my.<\/strong> V&nbsp;pr\u00edpade, \u017ee aktualiz\u00e1ciu syst\u00e9mov nie je mo\u017en\u00e9 vykona\u0165, odpor\u00fa\u010dame postupova\u0165 pod\u013ea pokynov v\u00fdrobcu:<\/p>\n\n\n\n<ul>\n<li>Blokova\u0165 \u00fatoky a pokusy o&nbsp;zneu\u017eitie zranite\u013enosti zapnut\u00edm signat\u00far ID hrozieb: 95187, 95189 a 95191 (len pou\u017e\u00edvatelia s&nbsp;akt\u00edvnym predplatn\u00fdm slu\u017eby Threat Prevention).<\/li>\n\n\n\n<li>Aplikova\u0165 profil ochrany pred zranite\u013enos\u0165ou na rozhraniach GlobalProtect pod\u013ea <a href=\"https:\/\/live.paloaltonetworks.com\/t5\/globalprotect-articles\/applying-vulnerability-protection-to-globalprotect-interfaces\/ta-p\/340184\">n\u00e1vodu<\/a>.<\/li>\n<\/ul>\n\n\n\n<p><strong>Vzh\u013eadom na akt\u00edvne zneu\u017e\u00edvanie zranite\u013enosti odpor\u00fa\u010dame d\u00f4kladne preveri\u0165 pr\u00edtomnos\u0165 dostupn\u00fdch indik\u00e1torov kompromit\u00e1cie (IOC) v&nbsp;logoch sie\u0165ov\u00fdch a&nbsp;bezpe\u010dnostn\u00fdch prvkov.<\/strong><\/p>\n\n\n\n<p>Pokusy o&nbsp;zneu\u017eitie zranite\u013enosti na firewalloch mo\u017eno preveri\u0165 pomocou pr\u00edkazov\u00e9ho riadka PAN-OS CLI zadan\u00edm pr\u00edkazu:<\/p>\n\n\n\n<p><em>grep pattern &#8220;failed to unmarshal session(.\\+.\\\/&#8221; mp-log gpsvc.log*<\/em><\/p>\n\n\n\n<p>Ak v\u00fdsledky vyh\u013ead\u00e1vania medzi \u010das\u0165ami \u201esession(\u201c a \u201e)\u201c obsahuj\u00fa namiesto GUID, re\u0165azce obsahuj\u00face syst\u00e9mov\u00e9 cesty alebo shell-ov\u00e9 pr\u00edkazy, m\u00f4\u017ee sa jedna\u0165 o&nbsp;aktivitu spojen\u00fa s&nbsp;pokusmi o&nbsp;zneu\u017eitie zranite\u013enosti.<\/p>\n\n\n\n<p><strong>Indik\u00e1tory kompromit\u00e1cie (IOC):<\/strong><\/p>\n\n\n\n<p><strong>SHA256 hashe s\u00faborov:<\/strong><\/p>\n\n\n\n<ul>\n<li>3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac (Update.py)<\/li>\n\n\n\n<li>5460b51da26c060727d128f3b3d6415d1a4c25af6a29fef4cc6b867ad3659078 (Update.py)<\/li>\n\n\n\n<li>35a5f8ac03b0e3865b3177892420cb34233c55240f452f00f9004e274a85703c (patch)<\/li>\n\n\n\n<li>755f5b8bd67d226f24329dc960f59e11cb5735b930b4ed30b2df77572efb32e8 (policy)<\/li>\n\n\n\n<li>adba167a9df482aa991faaa0e0cde1182fb9acfbb0dc8d19148ce634608bab87 (policy)<\/li>\n\n\n\n<li>c1a0d380bf55070496b9420b970dfc5c2c4ad0a598083b9077493e8b8035f1e9 (policy)<\/li>\n\n\n\n<li>fe07ca449e99827265ca95f9f56ec6543a4c5b712ed50038a9a153199e95a0b7 (policy)<\/li>\n\n\n\n<li>96dbec24ac64e7dd5fef6e2c26214c8fe5be3486d5c92d21d5dcb4f6c4e365b9 (policy)<\/li>\n\n\n\n<li>448fbd7b3389fe2aa421de224d065cea7064de0869a036610e5363c931df5b7c (gost-linux-amd64)<\/li>\n\n\n\n<li>e315907415eb8cfcf3b6a4cd6602b392a3fe8ee0f79a2d51a81a928dbce950f8 (policy(6))<\/li>\n\n\n\n<li>161fd76c83e557269bee39a57baa2ccbbac679f59d9adff1e1b73b0f4bb277a6 (reverse-sshx64)<\/li>\n<\/ul>\n\n\n\n<p><strong>IP adresy:<\/strong><\/p>\n\n\n\n<ul>\n<li>38.60.218[.]153<\/li>\n\n\n\n<li>38.180.41[.]251<\/li>\n\n\n\n<li>38.180.106[.]167<\/li>\n\n\n\n<li>38.180.128[.]159<\/li>\n\n\n\n<li>38.181.70[.]3<\/li>\n\n\n\n<li>38.207.148[.]123<\/li>\n\n\n\n<li>45.121.51[.]23<\/li>\n\n\n\n<li>64.176.226[.]203<\/li>\n\n\n\n<li>66.235.168[.]222<\/li>\n\n\n\n<li>78.141.232[.]174<\/li>\n\n\n\n<li>110.47.250[.]103<\/li>\n\n\n\n<li>126.227.76[.]24<\/li>\n\n\n\n<li>146.70.192[.]174<\/li>\n\n\n\n<li>144.172.79[.]92<\/li>\n\n\n\n<li>147.45.70[.]100<\/li>\n\n\n\n<li>149.28.194[.]95<\/li>\n\n\n\n<li>149.88.27[.]212<\/li>\n\n\n\n<li>154.223.16[.]34<\/li>\n\n\n\n<li>172.233.228[.]93<\/li>\n\n\n\n<li>173.255.223[.]159<\/li>\n\n\n\n<li>185.108.105[.]110<\/li>\n\n\n\n<li>199.119.206[.]28<\/li>\n\n\n\n<li>203.160.86[.]91<\/li>\n<\/ul>\n\n\n\n<p><strong>Dom\u00e9ny:<\/strong><\/p>\n\n\n\n<ul>\n<li>edcjn.57fe6f5d9d.ipv6.1433.eu[.]org<\/li>\n\n\n\n<li>nhdata.s3-us-west-2.amazonaws[.]com<\/li>\n\n\n\n<li>srgsd1f.842b727ba4.ipv6.1433.eu[.]org<\/li>\n<\/ul>\n\n\n\n<p>URL:<\/p>\n\n\n\n<ul>\n<li>hxxp:\/\/172.233.228[.]93\/patch<\/li>\n\n\n\n<li>hxxp:\/\/172.233.228[.]93\/policy<\/li>\n\n\n\n<li>hxxp:\/\/172.233.228[.]93\/vpn_prot.gz<\/li>\n\n\n\n<li>hxxp:\/\/172.233.228[.]93\/vpn.log<\/li>\n\n\n\n<li>hxxp:\/\/172.233.228[.]93\/lowdp<\/li>\n\n\n\n<li>hxxps:\/\/45.121.51[.]2\/abc.txt<\/li>\n<\/ul>\n\n\n\n<p><strong><em>Aktualizovan\u00e9 19.04.2024: dostupn\u00e9 aktualiz\u00e1cie, predpoklady zneu\u017eitia zranite\u013enosti, zoznam zasiahnut\u00fdch syst\u00e9mov, odpor\u00fa\u010dania<\/em><\/strong><\/p>\n\n\n\n<p><strong>Odkazy:<\/strong><\/p>\n\n\n\n<p><a href=\"https:\/\/security.paloaltonetworks.com\/CVE-2024-3400\">https:\/\/security.paloaltonetworks.com\/CVE-2024-3400<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/unit42.paloaltonetworks.com\/cve-2024-3400\/\">https:\/\/unit42.paloaltonetworks.com\/cve-2024-3400\/<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/www.volexity.com\/blog\/2024\/04\/12\/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400\/\">https:\/\/www.volexity.com\/blog\/2024\/04\/12\/zero-day-exploitation-of-unauthenticated-remote-code-execution-vulnerability-in-globalprotect-cve-2024-3400\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Spolo\u010dnos\u0165 Palo Alto Networks vydala bezpe\u010dnostn\u00e9 aktualiz\u00e1cie, ktor\u00e9 opravuj\u00fa akt\u00edvne zneu\u017e\u00edvan\u00fa kritick\u00fa zranite\u013enosti v&nbsp;softv\u00e9ri PAN-OS. Verzie 10.2, 11.0 a 11.1&#8230;<\/p>\n","protected":false},"author":1,"featured_media":799,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,7],"tags":[55,19],"_links":{"self":[{"href":"http:\/\/localhost:9000\/wp-json\/wp\/v2\/posts\/798"}],"collection":[{"href":"http:\/\/localhost:9000\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/localhost:9000\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/localhost:9000\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/localhost:9000\/wp-json\/wp\/v2\/comments?post=798"}],"version-history":[{"count":3,"href":"http:\/\/localhost:9000\/wp-json\/wp\/v2\/posts\/798\/revisions"}],"predecessor-version":[{"id":815,"href":"http:\/\/localhost:9000\/wp-json\/wp\/v2\/posts\/798\/revisions\/815"}],"wp:featuredmedia":[{"embeddable":true,"href":"http:\/\/localhost:9000\/wp-json\/wp\/v2\/media\/799"}],"wp:attachment":[{"href":"http:\/\/localhost:9000\/wp-json\/wp\/v2\/media?parent=798"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/localhost:9000\/wp-json\/wp\/v2\/categories?post=798"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/localhost:9000\/wp-json\/wp\/v2\/tags?post=798"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}