CRITICAL VULNERABILITY IN PALO ALTO PAN-OS (CVE-2024-0012)

EXECUTIVE SUMMARY

On November 18th, Palo Alto Networks issued an advisory regarding a critical vulnerability in their PAN-OS software. The vulnerability is an authentication bypass on the management web interface, which, if successfully exploited, would enable a threat actor to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities. Palo Alto's research team, Unit 42, published a corresponding threat brief on the same day, reporting that this vulnerability is currently under active exploitation by threat actor groups.

A mitigating factor that may lessen the global impact of this advisory is that under recommended deployments, management interfaces are not commonly exposed to the internet. Instructions on how to implement this have been included in the “Mitigations and Workarounds” section of this advisory. Official patches from Palo Alto have already been made available, and Beazley Security expects financially motivated threat actors to reverse engineer these patches to rapidly develop and deploy weaponized exploits in the coming days.

Beazley Security strongly recommends organizations upgrade their affected Palo Alto firewall products as soon as possible and to immediately ensure firewall management interfaces are properly segmented to internal management networks and not directly exposed to the internet.

AFFECTED SYSTEMS OR PRODUCTS

This vulnerability affects PAN-OS 10.2, PAN-OS 11.0, PAN-OS 11.1, and PAN-OS 11.2. This vulnerability does not affect Cloud NGFW or Prisma Access.

PAN-OS Versions

Affected

Unaffected

Cloud NGFW

None

All

PAN-OS 11.2

< 11.2.4-h1

>= 11.2.4-h1

PAN-OS 11.1

< 11.1.5-h1

>= 11.1.5-h1

PAN-OS 11.0

< 11.0.6-h1

>= 11.0.6-h1

PAN-OS 10.2

< 10.2.12-h2

>= 10.2.12-h2

PAN-OS 10.1

None

All

Prisma Access

None

All

Additionally, Palo Alto Networks has been actively scanning the internet to identify and track PAN-OS firewall devices with internet-facing management interfaces. Existing Palo Alto customers can verify if they were identified as having an internet-facing management interface by following these steps:

1. Visit the Palo Alto Customer Support Portal at: https://support.paloaltonetworks.com
2. Navigate to the Assets section (Products -> Assets -> All Assets).
3. Navigate to the Remediation Required section.
4. Any devices with internet-facing management interfaces identified by Palo Alto are tagged with PAN-SA-2024-0015 with a last seen timestamp in UTC.

MITIGATIONS / WORKAROUNDS

Access to the management interface of Palo Alto devices should be restricted to only trusted internal IP addresses, ideally to a segmented network intended for security device management.

To implement restricted internal IP addresses, an organization can follow these steps:

• Navigate to: Device -> Setup -> Interfaces -> Management
• Under “Permitted IP Addresses” only include approved management hosts (1)
• Only enable encrypted traffic (i.e. HTTPS, SSH) (2)
• Only enable PING for connectivity testing (3)

More details on these settings and more recommended configuration can be found on the community post found here.

To implement more secure network segmentation, follow these steps:

• Identify an internal subnet to be used specifically for network device management traffic.
• Assign an IP address from this subnet to the Palo Alto Management Interface.
• Permit only management traffic from devices connected to this subnet.
• Ensure this management network is isolated from the internet and other end-user systems.

Palo Alto has an official document describing “Administrative Access Best Practices” including and beyond IP access restriction, that document can be found here.

Palo Alto offers a Threat Prevention subscription, which includes Intrusion Detection and Prevention system (IDS/IPS) rules to block exploitation attempts of this vulnerability. Subscribers can enable these detection rules to counter the attacks mentioned in this advisory. Organizations should activate Threat IDs: 95746, 95747, 95752, 95753, 95759, and 95763 (available in Applications and Threats content version 8915-9075 and later). Organizations taking advantage of Threat Prevention will need to perform the following steps to apply the protections (which are not enabled by default):

• Set the above Threat IDs to block mode
• Route incoming traffic for the MGT port through a "data plane" port
• Replace the Certificate for Inbound Traffic Management
• Decrypt inbound traffic to the management interface
• Enable threat prevention on inbound traffic to management services

PATCHES

Palo Alto has released patches addressing this vulnerability. Organizations should update to PAN-OS 10.2.12-h2, 11.0.6-h1, 11.1.5-h1, 11.2.4-h1, or later versions for security fixes.

Palo Alto also released security patches following maintenance releases:

PAN-OS Version

Maintenance Releases

11.2

11.2.0-h1, 11.2.1-h1, 11.2.2-h2, 11.2.3-h3, 11.2.4-h1

11.1

11.1.0-h4, 11.1.1-h2, 11.1.2-h15, 11.1.3-h11, 11.1.4-h7, & 11.1.5-h1

11.0

11.0.0-h4, 11.0.1-h5, 11.0.2-h5, 11.0.3-h13, 11.0.4-h6, 11.0.5-h2, & 11.0.6-h1

10.2

10.2.0-h4, 10.2.1-h3, 10.2.2-h6, 10.2.3-h14, 10.2.4-h32, 10.2.5-h9, 10.2.6-h6, 10.2.7-h18, 10.2.8-h15, 10.2.9-h16, 10.2.10-h9, 10.2.11-h6, & 10.2.12-h2

INDICATORS OF COMPROMISE

Palo Alto’s Unit 42 has also provided the following IOCs to help organizations detect this activity in their own environments:

• IP addresses (many of these are VPN related)
  • 91.208.197[.]167
  • 136.144.17[.]146
  • 136.144.17[.]149
  • 136.144.17[.]154
  • 136.144.17[.]161
  • 136.144.17[.]164
  • 136.144.17[.]166
  • 136.144.17[.]167
  • 136.144.17[.]170
  • 136.144.17[.]176
  • 136.144.17[.]177
  • 136.144.17[.]178
  • 136.144.17[.]180
  • 173.239.218[.]251
  • 209.200.246[.]173
  • 209.200.246[.]184
  • 216.73.162[.]69
  • 216.73.162[.]71
  • 216.73.162[.]73
  • 216.73.162[.]74
• SHA256 file hash
  • 3c5f9034c86cb1952aa5bb07b4f77ce7d8bb5cc9fe5c029a32c72adc7e814668

The file hash mentioned above is a PHP webshell that was found on a compromised firewall device.

HOW BEAZLEY SECURITY IS RESPONDING

Beazley Security is monitoring client perimeter devices through our Karma product to identify impacted devices and support organizations in remediation of any issues found.

SOURCES

• https://security.paloaltonetworks.com/CVE-2024-0012
• https://unit42.paloaltonetworks.com/cve-2024-0012-cve-2024-9474/
• https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431
• https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices#id59206398-3dab-4b2f-9b4b-7ea500d036ba
• https://www.cisa.gov/news-events/alerts/2024/11/13/palo-alto-networks-emphasizes-hardening-guidance

‍