Palo Alto Networks patches zero-day firewall vulnerabilities
The patches come days after Palo Alto Networks first learned of an active exploit in the wild.
Palo Alto Networks has patched a pair of zero-day vulnerabilities in its PAN-OS management web interface used in its next-generation firewalls.
The patches were released this week after Palo Alto Networks first revealed on Nov. 8 that it had heard rumors of a new vulnerability affecting its firewalls.
Then, on November 14, Palo Alto Networks updated its advisory to add that it had “observed threat activity exploiting an unauthenticated remote command execution vulnerability against a limited number of firewall management interfaces that are exposed to the Internet.”
The vulnerabilities became official on November 18, when two CVEs were assigned: CVE-2024-0012 and CVE-2024-9474.
CVE-2024-0012 is an authentication bypass vulnerability that could allow an unauthenticated attacker with unrestricted access to the web interface to gain administrator-level privileges.
CVE-2024-9474 is a privilege escalation vulnerability and when taken together, the two flaws could cause serious problems.
“Adversaries can chain the two vulnerabilities together to bypass authentication on exposed management interfaces and escalate privileges,” Rapid7 researchers said in a blog post last updated on Nov. 18.
“While neither advisory explicitly states that the impact of chaining the two vulnerabilities is remote execution of completely unauthenticated code as root, it seems likely from the description of the issues and the inclusion of a web shell (payload). ) in IOCs, so that adversaries can achieve [remote code execution].”
According to Palo Alto Networks, the zero-day vulnerabilities affected only a “very small number” of its firewalls and were only possible on web interfaces with unlimited access.
“Palo Alto Networks has identified threat activity targeting a limited number of device management web interfaces. “This activity has primarily originated from IP addresses known from proxy/tunnel traffic for anonymous VPN services,” Palo Alto Networks said in a Nov. 18 blog post from its Unit42 research team.
“Palo Alto Networks is still actively investigating and remediating this activity. Observed post-exploitation activity includes the execution of interactive commands and the dropping of malware, such as webshells, into the firewall.”