Skip to content
New Report: Get your copy of The 2024 State of the Internet Report! | Download Today
Advisory

November 18 Advisory: Active Exploitation of Critical RCE in Palo Alto Networks PAN-OS [CVE-2024-0012 and CVE-2024-9474]

Date of Disclosure: November 8 (CVE-2024-0012) and November 18, 2024 (CVE-2024-9474)

Date Added to CISA KEV: N/A

On November 8, Palo Alto Networks released an advisory on CVE-2024-0012, a critical remote code execution (RCE) vulnerability affecting PAN-OS, the underlying operating system for Palo Alto Networks firewall and VPN appliances. It’s an authentication bypass bug that allows an unauthenticated remote attacker with access to the management web interface to gain admin privileges.

Today, November 18, the vendor issued another advisory for a related but lower-severity vulnerability also impacting PAN-OS, CVE-2024-9474, an authenticated privilege escalation bug that could allow unauthorized users to gain elevated privileges under certain conditions. 

These two vulnerabilities can be chained together, with CVE-2024-0012 providing initial administrative access, which can then be leveraged to exploit CVE-2024-9474 or carry out other post-exploitation actions.

Exploitation and IoCs

At the time of writing, neither vulnerability is in CISA KEV, but Unit 42 has observed a limited set of exploitation activity related to CVE-2024-0012. They published several indicators of compromise including various threat actor IP addresses and the following PHP webshell payload that was dropped on a compromised firewall:

3C5F9034C86CB1952AA5BB07B4F77CE7D8BB5CC9FE5C029A32C72ADC7E814668

Unit 42 additionally noted that while these IPs were identified attempting to scan and/or connect to management interfaces, many of them have been known to proxy/tunnel traffic for anonymous VPN services, which may include legitimate user activity originating from these IPs to other destinations. 

PAN-OS is widely used across sectors such as critical infrastructure, financial services, and government agencies, making this vulnerability particularly concerning for any organization relying on Palo Alto Networks devices. Successful exploitation of this vulnerability could give attackers full control over affected systems, potentially allowing them to alter network configurations, access sensitive data, and facilitate further network compromises.

Organizations using PAN-OS versions 10.2, 11.0, 11.1, and 11.2 in particular are advised to apply patches immediately or restrict access as per the vendor’s advisory. PAN-OS versions 10.2 and later are not affected, and neither are Cloud NGFW or Prisma Access 

Field Details
CVE-ID CVE-2024-0012 – CVSS 9.3 (Critical) assigned by Palo Alto Networks CVE-2024-9474 – CVSS 6.9 (Medium) assigned by Palo Alto Networks
Vulnerability Description Authentication bypass vulnerability in PAN-OS may allow unauthenticated remote code execution. Privilege escalation vulnerability in PAN-OS allows an administrator with access to the management web interface to perform actions on the firewall with root privileges.
Date of Disclosure November 8, 2024 November 18, 2024
Affected Assets Palo Alto Networks PAN-OS software (powering their firewall and VPN appliances)
Vulnerable Software Versions PAN-OS 10.2, 11.0, 11.1, and 11.2  PAN-OS 10.1, 10.2, 11.0, 11.1, and 11.2 
PoC Available? No, at the time of writing
Exploitation Status Actively exploited. Palo Alto has observed attacks targeting internet-exposed firewall management interfaces. In their advisory, they note: “At this time, we believe devices whose access to the Management Interface is not secured as per our recommended best practice deployment guidelines are at increased risk.” This vulnerability can be exploited after CVE-2024-0012 is used to gain root privileges, though no specific threat activity related to this scenario has been reported yet.
Patch Status Patches available for affected versions. See Palo Alto Networks’ advisory for details. Patches available for affected versions. See Palo Alto Networks’ advisory for details.

Censys Perspective

The vendor noted that PAN-OS devices with their management interfaces configured to be exposed to the public internet are at the greatest risk of exploitation. Censys has identified 13,324 publicly exposed NGFW management interfaces. A large proportion of these (34%) are geolocated in the United States. Censys observed about 8% of the exposed instances to be associated with Amazon (ASN 16509). Note that not all of these are necessarily vulnerable, as specific device versions are not available. 

Map of Exposed Management Interfaces: 

It is recommended to upgrade affected systems to PAN-OS 10.2 and limit public internet exposure of the firewall management interface. To identify all exposed Palo Alto management interfaces on your network regardless of PAN-OS version, the following Censys queries can be used:

Censys Search Query:

services.http.response.favicons.md5_hash:{c8c08bbe0b78b27d61002db456c741cc, 3ab22b6f3f0d4271e8d038c05cfbd5c9} and services.http.response.html_title=“Login”

Censys ASM Query:

(host.services.http.response.favicons.md5_hash:{c8c08bbe0b78b27d61002db456c741cc, 3ab22b6f3f0d4271e8d038c05cfbd5c9} and host.services.http.response.html_title="Login") or (web_entity.instances.http.response.favicons.md5_hash:{c8c08bbe0b78b27d61002db456c741cc, 3ab22b6f3f0d4271e8d038c05cfbd5c9} and web_entity.instances.http.response.html_title="Login")

 

References

 

Attack Surface Management Solutions
Learn more