Critical Vulnerability in Palo Alto Networks PAN-OS Under Active Exploitation
2024-11-16
Need some ammo against Palo Alto Networks? This article is for you!
Palo Alto Networks disclosed a zero-day vulnerability in its PAN-OS firewall management interface, which is actively exploited to deploy web shells, granting attackers persistent access. The vulnerability has a critical CVSS score of 9.3 and allows unauthenticated remote command execution, though severity drops if interface access is restricted. Patches were released for other related vulnerabilities (CVE-2024-9474 and CVE-2024-0012), which allow privilege escalation and authentication bypass. These vulnerabilities have been added to the CISA's Known Exploited Vulnerabilities catalog, requiring remediation by December 9, 2024. Palo Alto is investigating the exploitation under "Operation Lunar Peek" and advises immediate securing of the management interface.
Zero-Day, Privilege Escalation, Web App/Website Vulnerability, Malware
Palo Alto Networks, PAN-OS, Zero-Day, Firewall Vulnerability, Remote Command Execution, Web Shell
CVE-2024-5910; CVE-2024-9463; CVE-2024-9465; CVE-2024-9474; CVE-2024-0012
Palo Alto Networks, PAN-OS
Palo Alto Networks has identified a critical zero-day vulnerability in its PAN-OS firewall management interface, which is being actively exploited by threat actors. This vulnerability, yet to be assigned a CVE identifier, allows attackers to execute commands remotely without authentication, making it a significant security concern. The company has released indicators of compromise (IoCs) to help identify potential exploitation attempts. Malicious activity has been traced back to certain IP addresses targeting the management web interface. However, these IPs might be associated with legitimate VPN services, adding complexity to threat identification. The flaw allows attackers to deploy a web shell on compromised devices, granting them persistent remote access. The vulnerability has a high CVSS score of 9.3, indicating its critical nature. Exploitation does not require user interaction or privileges, and the attack complexity is low. However, limiting access to the management interface can reduce its severity to a high level (CVSS score: 7.5). Palo Alto Networks has advised customers to secure their firewall management interfaces promptly. Although patches for this specific vulnerability are not yet available, other related vulnerabilities have been addressed. CVE-2024-9474, a privilege escalation issue, and CVE-2024-0012, an authentication bypass, have been patched in recent PAN-OS versions. These vulnerabilities allow unauthorized access and administrative actions on the firewall. The company is actively investigating the exploitation, referred to as "Operation Lunar Peek." Threat actors have been observed executing commands and deploying malware, such as PHP web shells, on compromised firewalls. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added these vulnerabilities to its Known Exploited Vulnerabilities catalog, emphasizing the need for prompt remediation by December 9, 2024. Research by watchTowr highlights the potential to chain CVE-2024-0012 and CVE-2024-9474 to achieve command injection. A proof-of-concept exploit is expected soon to allow administrators to patch effectively. Furthermore, Censys has identified over 13,000 publicly exposed next-generation firewall management interfaces, with a significant portion located in the United States, underscoring the widespread nature of potential exposure.PAN-OS Firewall Vulnerability Exploitation and Response
Indicators of Compromise
Vulnerability Details
Advisory and Patches
Exploitation and Threat Activity
Technical Insights and Exposures
https://thehackernews.com/2024/11/pan-os-firewall-vulnerability-under.html?m=1