Hello, welcome to the Tuesday, April 16, 2024 edition of the Sandsenet Storm Center's Stormcast.

My name is Johannes Ulrich, and today I'm recording from Washington, D.C.

As mentioned in the early Special Monday episode, Palo Alto Networks notified users of a critical already exploited

vulnerability affecting its global protect product. As promised, Palo Alto released a hot fix

on Sunday. As usual, test the hot fix. It was released just before midnight, at least here, East Coast

Time.

Effected systems should also display a warning in their management console, notifying users

of the vulnerability and of the availability of a patch.

Now, one of our readers, Mark, shared that they saw actual attempts on Saturday that attempt

to exploit this vulnerability.

They have a number of different global protect instances across their infrastructure.

Pretty much all of them were attacked.

A couple that were not attacked were fairly new.

So one assumption here is that they're working off not the very latest list of vulnerable devices.

Could be something like Shodan or such, which of course is not always quite that up to date.

Haven't heard anything from others, so there's a single observation

at this point. I published a quick update with also the IP addresses that Mark observed attacking

them. The attack was not successful in this case, and these devices also had telemetry turned off, which is the recommended

workaround and appears to be working so far.

Now, pretty much at the same time where Palo Alto released its issues, there was another

vulnerability that I want to mention that meant a little bit under

the radar and that's an authentication bypass vulnerability in the Delinea secret server.

...