EDIT: This remediation is outdated, and organisations are instructed to follow the advice in the High Severity Cyber Alert CC-4578

Threat ID:CC-4577

Threat Severity:Medium

Published:15 November 2024 4:46 PM

Summary

Affected platforms

The following platforms are known to be affected:

Palo Alto Networks PAN-OS

Prisma Access and Cloud NGFW are not affected

Threat details

This Cyber Alert has been superceded by CC-4578

The information in this Cyber Alert is outdated, the description of the vulnerability and the remediation has changed. Organisations must follow the remediation advice in CC-4578.

Introduction

Palo Alto has issued a critical severity security bulletin for an unauthenticated remote command execution vulnerability affecting the management interface for firewall devices.

The vulnerability is still under investigation by Palo Alto but has not yet received a CVE designation. Palo Alto has tentatively given the vulnerability an initial CVSSv4 score of 9.3. However, if access to the management interface is restricted to trusted internal IP addresses, the CVSSv4 score is reduced to 7.5.

Probable exploitation of unauthenticated RCE vulnerability

Palo Alto Networks has observed threat activity exploiting firewall management interfaces exposed to the internet and is preparing to release fixes and threat prevention signatures.

Remediation advice

EDIT: This remediation is outdated, and organisations are instructed to follow the advice in the High Severity Cyber Alert CC-4578

Affected organisations are encouraged to review the Palo Alto Security Bulletin PAN-SA-2024-0015 and verify that the management interface is configured correctly. Palo Alto has not released security updates but advise customers follow their guidance on securing access to the management interface to reduce the risk of exploitation.

For best practice deployment guidelines, follow the steps in Palo Alto's blog How to Secure the Management Access of Your Palo Alto Networks Device and ensure that access to the management interface is possible only from trusted internal IP addresses and not from the Internet.

Remediation steps


Action	To find assets that require remediation action, visit the Assets section of Customer Support Portal at https://support.paloaltonetworks.com (Products → Assets → All Assets → Remediation Required).
Action	Devices with an internet-facing management interface discovered in Palo Alto's scans are tagged with PAN-SA-2024-0015. If no such devices are listed, it indicates their scan did not find any devices with internet-facing management interface for your account.

Definitive source of threat updates

https://security.paloaltonetworks.com/PAN-SA-2024-0015

https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431

Last edited: 18 November 2024 5:06 pm