Latest Palo Alto Vulnerabilities #
Palo Alto Networks (PAN) has issued a security advisory for a vulnerability that allows an unauthenticated attacker with access to the system's management PAN-OS web interface to gain administrator privileges on the device. There is limited evidence that CVE-2024-0012 is being exploited in the wild. This vulnerability is rated as critical with a 9.3 CVSS score.
What is the impact? #
An attacker that can access the web administration interface of a device running PAN-OS can gain administrative privileges on the system. This would allow the attacker control over the system, and additionally may allow the attacker paths to further exploits (for example, CVE-2024-9474).
Palo Alto has indicated that there is limited evidence of exploitation of this vulnerability in the wild. Palo Alto's Unit 42 research organization has authored a writeup on the vulnerability that includes some Indicators of Compromise (IoCs).
Note that CISA (the Cybersecurity and Infrastructure Security Agency) has added CVE-2024-0012 and CVE-2024-9474 to their Known Exploited Vulnerabilities catalog.
Are updates or workarounds available? #
Palo Alto has released updates to address this vulnerability, and strongly recommends that users update as quickly as possible. They also recommend that users restrict access to vulnerable systems' web interfaces as quickly as possible, and prior to applying any updates.
How to find PAN-OS systems on your network #
From the Asset Inventory you can use the following query to locate potentially vulnerable systems:
os:"PAN-OS"
CVE-2024-5910, CVE-2024-9463, and CVE-2024-9465 #
Palo Alto Networks (PAN) updated a security advisory advising customers to restrict access to the management interface of Next-Generation Firewalls (NGFW) due to an actively exploited zero-day vulnerability.
CISA announced that CVE-2024-5910, which was patched in July, is actively being exploited and was added to the Known Exploited Vulnerabilities (KEV) Catalog Catalog. Although not directly affecting PAN-OS, this vulnerability affects the Expedition migration tool, which could contain API keys, administrator credentials, and/or PAN-OS device configuration information.
Additionally, CISA announced that both CVE-2024-9463 (CVSS 9.9) and CVE-2024-9465 (CVSS 9.3) are actively being exploited and were also added to the Known Exploited Vulnerabilities (KEV) Catalog. Both vulnerabilities also affect the Expedition migration tool.
What is the impact? #
Although no specific details of a remote code execution vulnerability were disclosed within the advisory, Palo Alto is actively investigating an active exploitation of a zero-day vulnerability against the management interfaces of NGFWs exposed to the public Internet.
CVE-2024-5910 allows for a remote attacker to reset application admin credentials on Expedition servers. Additionally, successful exploitation of the other two vulnerabilities above could allow for a remote attacker to execute arbitrary OS commands or reveal the contents of the underlying database.
Are updates or workarounds available? #
Within the advisory, Palo Alto recommends restricting access to the management interface. Additionally, they advise following a set of best practices to secure the management interface.
Palo Alto Networks released a patch for CVE-2024-5910 in July.
How to find PAN-OS systems on your network #
From the Asset Inventory you can use the following query to locate potentially vulnerable systems:
os:"PAN-OS" type:"Firewall"
How to find Expedition servers on your network #
From the Service Inventory you can use the following query to locate potentially vulnerable systems:
html.title:="Expedition Project"
October 10, 2024 vulnerabilities #
Palo Alto Networks (PAN) released a security advisory with multiple vulnerabilities on PAN-OS firewalls that could lead to admin account takeover.
- CVE-2024-9463 is rated critical with CVSS score of 9.9, is an OS command injection vulnerability and potentially allows for and execution of OS commands as root.
- CVE-2024-9464 is rated critical with CVSS score of 9.3, is an OS command injection vulnerability and potentially allows for the execution of OS commands as root.
- CVE-2024-9465 is rated critical with CVSS score of 9.2, is a SQL injection vulnerability and potentially allows a remote unauthenticated attacker to read the contents of the Expedition database.
- CVE-2024-9466 is rated high with CVSS score of 8.2, and potentially allows for an authenticated user to read sensitive information including passwords and API keys.
- CVE-2024-9467 is rated high with CVSS score of 7.0, is an XSS vulnerability and potentially allows for execution of malicious JavaScript code that could result in session hijacking.
If chained together through an exploit, a firewall running the vulnerable software could be completely taken over by an unauthenticated remote attacker. For more information, the team that disclosed the vulnerabilities to Palo Alto Networks, published a detailed analysis. According to the vendor, there was no known malicious exploitation of vulnerable systems at the time.
According to Palo Alto Networks, "The fixes for all listed issues are available in Expedition 1.2.96, and all later Expedition versions." They also recommended rotating all passwords and API keys after applying the latest patch to prevent future unauthorized access. Refer to the Workarounds and Mitigations section of the security advisory for information about potential workarounds and additional advice.
CVE-2024-3400 #
Palo Alto Networks (PAN) disclosed that certain versions of their PAN-OS software had a vulnerability that allowed for remote command injection.
CVE-2024-3400 was rated critical with CVSS score of 9.8 and indicated an unauthenticated attacker could execute arbitrary code with root privileges on the firewall. The vendor indicated that there was evidence of limited exploitation in the wild.
watchTowr posted a detailed analysis including the details needed for exploitation. This analysis covered two separate vulnerabilities; an arbitrary file creation vulnerability in the session handler, and a shell metacharacter injection issue that lead to remote execution through the telemetry script. PAN updated their guidance to state that "Disabling device telemetry is no longer an effective mitigation".
The following PAN-OS versions were affected by this vulnerability.
Version | Affected | Unaffected |
PAN-OS 11.1 | < 11.1.2-h3 | >= 11.1.2-h3 (hotfix ETA: By 4/14) |
PAN-OS 11.0 | < 11.0.4-h1 | >= 11.0.4-h1 (hotfix ETA: By 4/14) |
PAN-OS 10.2 | < 10.2.9-h1 | >= 10.2.9-h1 (hotfix ETA: By 4/14) |
Palo Alto Networks indicated that PAN-OS 11.1, 11.0, and 10.2 versions with the configurations for both GlobalProtect gateway and device telemetry enabled.
Customers could verify this by checking for entries in the firewall web interface (Network > GlobalProtect > Gateways) and verify whether device telemetry was enabled by checking the firewall web interface (Device > Setup > Telemetry).
Palo Alto Networks recommended that customers with a Threat Prevention subscription block attacks for this vulnerability by enabling Threat ID 95187 (introduced in Applications and Threats content version 8833-8682) and applying vulnerability protection to GlobalProtect interfaces.
It was also recommended that telemetry be disabled until devices could be upgraded to an unaffected version of PAN-OS.
