Growing Exploitation of Palo Alto Networks PAN-OS Vulnerabilities
Update: November 22, 2024
Palo Alto Networks has recently disclosed two critical zero-day vulnerabilities affecting their PAN-OS devices, which are currently being actively exploited in the wild. Identified as CVE-2024-0012 and CVE-2024-9474, these vulnerabilities exploit weaknesses in the management web interface, with CVE-2024-0012 allowing attackers to bypass authentication and gain administrator privileges without any user interaction. Although the company reports limited exposure, thousands of potentially vulnerable systems have been identified globally, raising significant concerns about the broader impact.
CVE-2024-0012: Authentication Bypass Explained
CVE-2024-0012 is classified as a critical vulnerability with a CVSS score of 9.3. It affects the PAN-OS management web interface and was recently reclassified by Palo Alto Networks from a remote command execution flaw to an authentication bypass vulnerability. This critical flaw allows unauthenticated attackers to bypass security measures and gain full administrative access to affected systems without any user interaction, making it particularly dangerous for internet-exposed interfaces.
Once exploited, attackers can manipulate system configurations, compromise sensitive data, or launch additional attacks, leading to severe consequences for organizations. Palo Alto Networks has emphasized that limiting access to the management interface to trusted internal networks can significantly reduce the vulnerability’s impact.
CVE-2024-9474: Privilege Escalation Risks
CVE-2024-9474 is a medium-severity vulnerability with a CVSS score of 6.9, allowing malicious administrators to escalate their privileges to root level on affected PAN-OS systems. Unlike CVE-2024-0012, this flaw requires existing administrative access, making it less critical but still a significant concern for organizations. When exploited, this vulnerability enables attackers to perform actions with full system control, potentially leading to severe consequences, such as disabling security features or launching further attacks.
While it poses a lower risk compared to CVE-2024-0012, the potential impact on compromised systems underscores the importance of immediate patching and strict access controls.
Affected PAN-OS Versions
Both CVE-2024-0012 and CVE-2024-9474 impact multiple versions of PAN-OS. The affected versions for each vulnerability are outlined below:
- CVE-2024-0012: Affects PAN-OS versions 10.2 to 11.2 (versions before: 10.2.12-h2, 11.0.6-h1, 11.1.5-h1, 11.2.4-h1).
- CVE-2024-9474: Affects PAN-OS versions 10.1 to 11.2 (versions before: 10.1.14-h6, 10.2.12-h2, 11.0.6-h1, 11.1.5-h1, 11.2.4-h1).
Upgrading to later versions is crucial to secure systems against these vulnerabilities and reduce exposure to potential exploitation.
How Were the Vulnerabilities Exploited – Operation Lunar Peek
Palo Alto Networks has linked the exploitation of these vulnerabilities to a campaign they have named Operation Lunar Peek. Attackers targeted exposed PAN-OS management interfaces, using CVE-2024-0012 to bypass authentication and gain administrative access. Although CVE-2024-9474 has been exploited in follow-up attacks, researchers have not directly tied it to this operation.
Security researcher Yutaka Sejiyama reported discovering 15,429 public-facing servers globally running Palo Alto Networks’ management interface via Shodan. Among these, 11,180 were confirmed as active, indicating a widespread risk. The United States had the highest number of exposed instances among the affected countries.
Growing Exploitation of Palo Alto Networks PAN-OS Vulnerabilities
Palo Alto Networks continues its investigation into the exploitation of CVE-2024-0012 and CVE-2024-9474. Initial malicious activity observed on November 18, 2024, was traced to IP addresses linked to anonymous VPN services, complicating efforts to pinpoint the attackers. Palo Alto’s Unit 42 now assesses with moderate to high confidence that a functional exploit chaining these vulnerabilities is publicly available, potentially enabling attackers to escalate their activities and target more systems.
Shadowserver reported identifying over 2,000 compromised PAN-OS devices worldwide due to the exploitation of these vulnerabilities. Threat actors have been observed executing commands and deploying malware, including web shells, on compromised firewalls. Palo Alto is actively analyzing and categorizing this post-exploitation behavior to understand its broader impact.
The vulnerabilities have been confirmed to affect various product lines, including PA-Series, VM-Series, CN-Series firewalls, and Panorama (both virtual and M-Series). For CVE-2024-9474, WildFire appliances are also now listed as affected.
CISA Adds Palo Alto Zero-Days to the KEV Catalog
The Cybersecurity and Infrastructure Security Agency (CISA) has added the Palo Alto Networks vulnerabilities, CVE-2024-0012 and CVE-2024-9474, to its Known Exploited Vulnerabilities (KEV) catalog. Federal agencies have been instructed to prioritize patching affected systems by December 9, 2024, ensuring compliance with CISA’s directive. Alongside these vulnerabilities, CISA has also added another high-risk issue to the KEV catalog: CVE-2024-1212, a command injection vulnerability in Progress Kemp LoadMaster with a maximum CVSS score of 10.
Organizations are encouraged to review and address all vulnerabilities in the catalog to strengthen their defenses.
Secure Your PAN-OS Device: Recommendations
To mitigate the risks posed by CVE-2024-0012 and CVE-2024-9474, organizations should implement the following measures:
1. Patch Immediately
Upgrade to the latest secure PAN-OS versions to address these vulnerabilities. Detailed guidance and updated versions can be found in Palo Alto’s advisories. Researchers have provided a Nuclei template for CVE-2024-0012 to help identify affected hosts.
2. Secure Management Interfaces
- Restrict access to management interfaces to trusted internal networks or through a secure jump box.
- Block all internet-facing access to management interfaces to prevent unauthorized exploitation.
- Use the Palo Alto Networks support portal to identify exposed assets tagged with PAN-SA-2024-0015.
3. Monitor Indicators of Compromise (IoCs)
Organizations should monitor for threat actor IPs actively scanning or connecting to vulnerable interfaces. A list of known IPs and post-exploitation payloads has been provided to assist in identifying potential attacks.
By taking these proactive measures, organizations can significantly reduce their risk of exploitation and enhance their overall security posture against these vulnerabilities.
In conclusion, the recent vulnerabilities in Palo Alto Networks PAN-OS highlight the critical need for organizations to remain vigilant and proactive in their cybersecurity efforts. By staying informed and implementing robust security measures, organizations can better protect themselves against evolving threats in the digital landscape.