On November 8, 2024, Palo Alto Networks (PAN) issued an important alert about potential vulnerabilities affecting its firewall management interfaces. The cybersecurity firm urged customers to take immediate actions to secure their systems amid emerging concerns of a possible vulnerability. At the time, the situation surrounding this zero-day vulnerability remained unconfirmed.
However, by November 14, 2024, PAN's advisory was amended to state that the company had indeed detected threat activity exploiting a vulnerability that allows for unauthenticated remote command execution. This issue was seen in a limited number of firewall management interfaces that are publicly accessible on the internet. "We are actively investigating the situation," said a PAN spokesperson.
"We are actively investigating the situation,"
By November 18, PAN's Unit42 threat intelligence team further elaborated on the alarming activity labeled under the code name "Lunar Peek." The vulnerabilities identified were serious enough to result in the assignment of two Common Vulnerabilities and Exposures (CVEs): CVE-2024-0012 and CVE-2024-9474.
CVE-2024-0012 involves an authentication bypass within PAN-OS management web interfaces, associated with a high severity score of 9.3 on the Common Vulnerability Scoring System (CVSS). According to the firm's detailed advisory, CVE-2024-9474 represents a privilege escalation vulnerability, enabling administrators to execute actions on the firewall with root access, and it has a CVSS score of 6.9. "Adversaries could potentially chain these vulnerabilities to bypass authentication on exposed management interfaces, leading to escalation of privileges," explained a Unit42 analyst.
"Adversaries could potentially chain these vulnerabilities to bypass authentication on exposed management interfaces, leading to escalation of privileges,"
While the advisory does not unequivocally state that the combination of these vulnerabilities can lead to a full remote code execution (RCE) as root, the possibility remains. "From the descriptions provided and the inclusion of a webshell in Indicators of Compromise (IOCs), it appears likely that adversaries could achieve RCE,” noted cybersecurity experts monitoring the developments.
The bulletin emphasizes that the risk of exploitation is considerably lower if the management interface is not exposed to the internet. PAN strongly advises users whose firewall management interfaces are accessible to the web to closely monitor for anomalous activity, such as unexpected configuration changes or unknown users.
As of November 18, PAN confirmed that their Prisma Access and Cloud NGFW products were unaffected by these vulnerabilities. Additionally, PAN expanded their advisory on November 16 to include several IP addresses linked to this threat which may represent legitimate traffic from third-party virtual private networks (VPNs), combining this information with existing webshell checksums. The threat analysis report from Unit42 published on November 18 includes additional indicators relevant to ongoing assessments.
Customers with certain versions of PAN-OS are specifically urged to update their software immediately to address these vulnerabilities. The versions needing updates are: - PAN-OS versions prior to 11.2.4-h1 - PAN-OS versions prior to 11.1.5-h1 - PAN-OS versions prior to 11.0.6-h1 - PAN-OS versions prior to 10.2.12-h2
Impact and Legacy
"Updating to the latest versions will help mitigate the risks associated with these vulnerabilities," advised the company. They also pointed out that PAN-OS 10.1, Prisma Access, and Cloud NGFW were not impacted by the vulnerabilities.
As this situation continues to unfold, Palo Alto Networks remains vigilant in tracking and responding to potential threats. Cybersecurity experts emphasize the importance of patches and updates as critical defense strategies against evolving threats in a constantly changing digital landscape. The proactive measures being implemented by PAN and recommendations for customers reflect a broader commitment to strengthening security against increasingly sophisticated cyber threats.
