Attackers are exploiting 2 zero-days in Palo Alto Networks firewalls (CVE-2024-0012, CVE-2024-9474)
Palo Alto Networks has released fixes for two vulnerabilities (CVE-2024-0012 and CVE-2024-9474) in its next-generation firewalls that have been exploited by attackers as zero-days.
About the vulnerabilities (CVE-2024-0012, CVE-2024-9474)
CVE-2024-0012 stems from missing authentication for a critical function and allows unauthenticated attackers with network access to the management web interface “to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474,” according to Palo Alto Networks.
CVE-2024-0012 is the (previously unspecified) unauthenticated remote command execution zero-day that the company started warning about ten days ago, after urging customers to appropriately configure and secure access to firewall management interfaces exposed to the internet.
CVE-2024-9474 is an OS command injection flaw that allows a PAN-OS administrator with access to the management web interface to escalate their privileges and perform actions on the firewall with root privileges.
The company’s product security researchers pinpointed the vulnerabilities based on observed threat activity.
Cloud NGFW and Prisma Access are not impacted by these flaws.
Exploitation detection and remediation
The company’s incident responders are tracking the initial exploitation of CVE-2024-0012 under the name Operation Lunar Peek.
“Palo Alto Networks has identified threat activity targeting a limited number of device management web interfaces. This activity has primarily originated from IP addresses known to proxy/tunnel traffic for anonymous VPN services,” they explained in a separate threat brief, which also provides indicators of compromise.
“Observed post-exploitation activity includes interactive command execution and dropping malware, such as webshells, on the firewall.”
Limiting access to the management interface only to trusted internal IP addresses or a specified jump box reduces the risk of exploitation, but upgrading to a fixed version of the OS should be prioritized.
Both vulnerabilities have been fixed in PAN-OS 10.2.12-h2, PAN-OS 11.0.6-h1, PAN-OS 11.1.5-h1, PAN-OS 11.2.4-h1, and all later PAN-OS versions. CVE-2024-9474 has additionally been addressed in PAN-OS 10.1.14-h6.
“If your management web interface was exposed to the internet, then we advise you to closely monitor your network for suspicious threat activity, such as unrecognized configuration changes or suspicious users. We are scanning Telemetry data and customer uploaded tech support files (TSF) for evidence of threat activity and updating the case notes accordingly,” Palo Alto says.
Customers who find evidence of compromise are advised to take the affected devices offline and contact the company’s Global Customer Support to schedule a forced Enhanced Factory Reset (EFR). Further action will be required by the customers to finalize the clean-up.
UPDATE (November 19, 2024, 03:25 a.m. ET):
Censys has identified 13,324 publicly exposed – but not necessarily vulnerable – NGFW management interfaces.
“A large proportion of these (34%) are geolocated in the United States. Censys observed about 8% of the exposed instances to be associated with Amazon (ASN 16509),” the company said.
UPDATE (November 19, 2024, 07:40 a.m. ET):
WatchTowr researchers have published an analysis of how the two bugs can be concatenated to achieve unauthenticated remote code execution.
They’ve refrained from publishing a PoC exploit, but they have released a Nuclei template that admins can use to check if their hosts are affected.
UPDATE (November 21, 2024, 07:25 a.m. ET):
Shadowserver Foundation has detected around 2,000 compromised devices.