PAN-OS Firewall Vulnerability

Palo Alto Networks has released new indicators of compromise (IoCs) a day after the network security vendor confirmed that a zero-day vulnerability impacting its PAN-OS firewall management interface has been actively exploited in the wild.

To that end, the company said it observed malicious activity originating from below IP addresses and targeting PAN-OS management web interface IP addresses that are accessible over the internet -

  • 136.144.17[.]*
  • 173.239.218[.]251
  • 216.73.162[.]*
Cybersecurity

The company, however, warned that these IP addresses may possibly represent "third-party VPNs with legitimate user activity originating from these IPs to other destinations."

Palo Alto Networks' updated advisory indicates that the flaw is being exploited to deploy a web shell on compromised devices, allowing threat actors to gain persistent remote access.

The vulnerability, which is yet to be assigned a CVE identifier, carries a CVSS score of 9.3, indicating critical severity. It allows for unauthenticated remote command execution.

According to the company, the vulnerability requires no user interaction or privileges to exploit, and its attack complexity has been deemed "low."

That said, the severity of the flaw drops to high (CVSS score: 7.5) should access to the management interface be restricted to a limited pool of IP addresses, in which case the threat actor will have to obtain privileged access to those IPs first.

On November 8, 2024, Palo Alto Networks began advising customers to secure their firewall management interfaces amid reports of a remote code execution (RCE) flaw. It has since been confirmed that the mysterious vulnerability has been abused against a "limited number" of instances.

There are currently no details on how the vulnerability came to light, the threat actors behind the exploitation, and the targets of these attacks. Prisma Access and Cloud NGFW products are not impacted by the flaw.

Patches for the vulnerability are yet to be released, making it imperative that users take immediate steps to secure access to the management interface, if not already.

The advisory comes as three different critical flaws in Palo Alto Networks Expedition (CVE-2024-5910, CVE-2024-9463, and CVE-2024-9465) have come under active exploitation, per the U.S. Cybersecurity and Infrastructure Security Agency (CISA). At this stage, there is no evidence to suggest that the activities are related.

Palo Alto Networks Releases Patches

Palo Alto Networks has officially released patches for a set of two flaws that have come under active exploitation in the wild, allowing attackers to elevate their privileges and perform malicious actions.

Cybersecurity

The vulnerabilities are listed below -

  • CVE-2024-9474 (CVSS score: 6.9) - A privilege escalation vulnerability in Palo Alto Networks PAN-OS software allows a PAN-OS administrator with access to the management web interface to perform actions on the firewall with root privileges
  • CVE-2024-0012 (CVSS score: 9.3) - An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474

The aforementioned weaknesses have been patched in PAN-OS 10.1.14-h6, PAN-OS 10.2.12-h2, PAN-OS 11.0.6-h1, PAN-OS 11.1.5-h1, PAN-OS 11.2.4-h1, and all later PAN-OS versions. The fixes have also been extended to maintenance releases.

In a separate threat brief, Palo Alto Networks said it has observed threat activity originating from IP addresses known to proxy/tunnel traffic for anonymous VPN services, and that it's actively investigating the event, which it's tracking under the moniker Operation Lunar Peek.

"Observed post-exploitation activity includes interactive command execution and dropping malware, such as [PHP] web shells, on the firewall," it added.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has since added both the flaws to the Known Exploited Vulnerabilities (KEV) catalog, requiring Federal Civilian Executive Branch (FCEB) agencies to remediate them by December 9, 2024.

Additional Technical Details Released

Researchers from watchTowr have published more technical details about CVE-2024-0012 and CVE-2024-9474, revealing how the two flaws could be chained together to achieve command injection. A proof-of-concept (PoC) exploit is expected to be released next week so as to give administrators enough time to patch.

"This time it's due to those pesky backticks, combined with the super-complicated step of simply asking the server not to check our authentication via X-PAN-AUTHCHECK," it said. "It's amazing that these two vulnerabilities got into a production appliance, amazingly allowed via the hacked-together mass of shell script invocations that lurk under the hood of a Palo Alto appliance."

As of November 18, 2024, Censys said it has identified 13,324 publicly exposed next-generation firewall (NGFW) management interfaces, with 34% of these exposures located in the United States. That said, it's worth noting that not all of these exposed hosts are necessarily vulnerable.

(The story was updated after publication to include details of the patches and an analysis of the fix released by watchTowr.)


Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.