The security advisory addresses a critical authentication bypass vulnerability in the management web interface

Threat ID:CC-4578

Threat Severity:High

Published:18 November 2024 5:02 PM

Summary

Affected platforms

The following platforms are known to be affected:

Versions: PAN-OS 10.2, PAN-OS 11.0, PAN-OS 11.1, PAN-OS 11.2, (Prisma Access and Cloud NGFW are not affected)

Palo Alto Networks PAN-OS

Threat details

Exploitation of authentication bypass vulnerability CVE-2024-0012

Palo Alto Networks has observed threat activity that exploits this vulnerability against a limited number of management web interfaces that are exposed to internet traffic coming from outside the network. Palo Alto Networks has linked to a Unit 42 vulnerability threat brief, which contains indicators of compromise (IoCs) and exploitation activity related to CVE-2024-0012.

Introduction

Palo Alto Networks has issued a critical severity security advisory for an authentication bypass vulnerability, known as CVE-2024-0012, affecting the PAN-OS management web interface.

CVE-2024-0012 has a CVSSv4 score of 9.3 when access is allowed to the management interface from external IP addresses on the internet. However, if access is restricted to a jump box that is the only system allowed to access the management interface, the CVSSv4 score would be reduced to 5.9.

An unauthenticated attacker with network access to the management web interface could gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474.

CVE-2024-0012 could be used with CVE-2024-9474

Palo Alto Networks states that an attacker could use the authentication bypass vulnerability CVE-2024-0012 to exploit other authenticated vulnerabilities like CVE-2024-9474. Palo Alto Networks has released a separate advisory for CVE-2024-9474, describing a privilege escalation vulnerability in the management interface that is being exploited.

Following the actions in this Cyber Alert will remediate both vulnerabilities.

Remediation advice

Affected organisations must review the Palo Alto Networks Security Advisory CVE-2024-0012 PAN-OS: Authentication Bypass in the Management Web Interface (PAN-SA-2024-0015) and apply necessary security updates to remediate against this vulnerability.

To prioritise assets that require action most urgently, use the Palo Alto Networks customer portal to find devices that have an internet-facing management interface, as outlined in the second remediation step below. Additionally, Palo Alto Networks recommend customers follow their guidance on securing access to the management interface to reduce the risk of exploitation.

Remediation steps


Patch	Apply latest security update to one of the following fixed versions: PAN-OS 10.2.12-h2 or later PAN-OS 11.0.6-h1 or later PAN-OS 11.1.5-h1 or later PAN-OS 11.2.4-h1 or later https://security.paloaltonetworks.com/CVE-2024-0012
Guidance	To find assets that require remediation action, visit the Assets section of the Customer Support Portal at https://support.paloaltonetworks.com (Products → Assets → All Assets → Remediation Required). Devices with an internet-facing management interface discovered in Palo Alto Networks' scans are tagged with PAN-SA-2024-0015 with a last seen timestamp in UTC. If no such devices are listed, it indicates their scan did not find any devices with internet-facing management interface for your account in the last three days. Organisations are required to patch all affected platforms, regardless of their identification in the customer portal.
Guidance	Recommended mitigation The vast majority of firewalls already follow Palo Alto Networks and industry best practices. Palo Alto Networks strongly recommends securing access to management interfaces according to their best practice deployment guidelines. Specifically, access should be restricted to the management interface to only trusted internal IP addresses to prevent external access from the internet. https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431
Guidance	Palo Alto Networks official and more detailed technical documentation on securing management access to your Palo Alto Networks firewalls. https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices

Definitive source of threat updates

https://security.paloaltonetworks.com/CVE-2024-0012

https://support.paloaltonetworks.com/

https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431

https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices

CVE Vulnerabilities

StatusPublished

CVE-2024-0012An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474 https://security.paloaltonetworks.com/CVE-2024-9474 . The risk of this issue is greatly reduced if you secure access to the management web interface by restricting access to only trusted internal IP addresses according to our recommended best practice deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 . This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, PAN-OS 11.1, and PAN-OS 11.2 software. Cloud NGFW and Prisma Access are not impacted by this vulnerability.

Last edited: 18 November 2024 5:03 pm