- November 18, 2024
- Beazley Security Labs
Critical Vulnerability in Palo Alto PAN-OS (CVE-2024-0012)
On November 18th, Palo Alto Networks published an advisory regarding a critical vulnerability in their PAN-OS software, a core component for their next-generation firewall product line.
Executive Summary
On November 18th, Palo Alto Networks issued an advisory regarding a critical vulnerability in their PAN-OS software. The vulnerability is an authentication bypass on the management web interface, which, if successfully exploited, would enable a threat actor to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities. Palo Alto's research team, Unit 42, published a corresponding threat brief on the same day, reporting that this vulnerability is currently under active exploitation by threat actor groups.
A mitigating factor that may lessen the global impact of this advisory is that under recommended deployments, management interfaces are not commonly exposed to the internet. Instructions on how to implement this have been included in the “Mitigations and Workarounds” section of this advisory. Official patches from Palo Alto have already been made available, and Beazley Security expects financially motivated threat actors to reverse engineer these patches to rapidly develop and deploy weaponized exploits in the coming days.
Beazley Security strongly recommends organizations upgrade their affected Palo Alto firewall products as soon as possible and to immediately ensure firewall management interfaces are properly segmented to internal management networks and not directly exposed to the internet.
Affected Systems or Products
This vulnerability affects PAN-OS 10.2, PAN-OS 11.0, PAN-OS 11.1, and PAN-OS 11.2. This vulnerability does not affect Cloud NGFW or Prisma Access.
PAN-OS Versions | Affected | Unaffected |
|---|---|---|
Cloud NGFW | None | All |
PAN-OS 11.2 | < 11.2.4-h1 | >= 11.2.4-h1 |
PAN-OS 11.1 | < 11.1.5-h1 | >= 11.1.5-h1 |
PAN-OS 11.0 | < 11.0.6-h1 | >= 11.0.6-h1 |
PAN-OS 10.2 | < 10.2.12-h2 | >= 10.2.12-h2 |
PAN-OS 10.1 | None | All |
Prisma Access | None | All |
Additionally, Palo Alto Networks has been actively scanning the internet to identify and track PAN-OS firewall devices with internet-facing management interfaces. Existing Palo Alto customers can verify if they were identified as having an internet-facing management interface by following these steps:
- 1.
Visit the Palo Alto Customer Support Portal at: https://support.paloaltonetworks.com
- 2.
Navigate to the
Assetssection (Products -> Assets -> All Assets). - 3.
Navigate to the
Remediation Requiredsection. - 4.
Any devices with internet-facing management interfaces identified by Palo Alto are tagged with
PAN-SA-2024-0015with a last seen timestamp in UTC.
Mitigations / Workarounds
Access to the management interface of Palo Alto devices should be restricted to only trusted internal IP addresses, ideally to a segmented network intended for security device management.
To implement restricted internal IP addresses, an organization can follow these steps:
Navigate to:
Device -> Setup -> Interfaces -> ManagementUnder “
Permitted IP Addresses” only include approved management hosts (1)Only enable encrypted traffic (i.e. HTTPS, SSH) (2)
Only enable PING for connectivity testing (3)
Figure 1: NGFW Management Interface Settings
More details on these settings and more recommended configuration can be found on the community post found here.
To implement more secure network segmentation, follow these steps:
Identify an internal subnet to be used specifically for network device management traffic.
Assign an IP address from this subnet to the Palo Alto Management Interface.
Permit only management traffic from devices connected to this subnet.
Ensure this management network is isolated from the internet and other end-user systems.
Palo Alto has an official document describing “Administrative Access Best Practices” including and beyond IP access restriction, that document can be found here.
Palo Alto offers a Threat Prevention subscription, which includes Intrusion Detection and Prevention system (IDS/IPS) rules to block exploitation attempts of this vulnerability. Subscribers can enable these detection rules to counter the attacks mentioned in this advisory. Organizations should activate Threat IDs: 95746, 95747, 95752, 95753, 95759, and 95763 (available in Applications and Threats content version 8915-9075 and later). Organizations taking advantage of Threat Prevention will need to perform the following steps to apply the protections (which are not enabled by default):
Set the above Threat IDs to block mode
Route incoming traffic for the MGT port through a "data plane" port
Replace the Certificate for Inbound Traffic Management
Decrypt inbound traffic to the management interface
Enable threat prevention on inbound traffic to management services
Patches
Palo Alto has released patches addressing this vulnerability. Organizations should update to PAN-OS 10.2.12-h2, 11.0.6-h1, 11.1.5-h1, 11.2.4-h1, or later versions for security fixes.
Palo Alto also released security patches following maintenance releases:
PAN-OS Version | Maintenance Releases |
|---|---|
11.2 | 11.2.0-h1, 11.2.1-h1, 11.2.2-h2, 11.2.3-h3, 11.2.4-h1 |
11.1 | 11.1.0-h4, 11.1.1-h2, 11.1.2-h15, 11.1.3-h11, 11.1.4-h7, & 11.1.5-h1 |
11.0 | 11.0.0-h4, 11.0.1-h5, 11.0.2-h5, 11.0.3-h13, 11.0.4-h6, 11.0.5-h2, & 11.0.6-h1 |
10.2 | 10.2.0-h4, 10.2.1-h3, 10.2.2-h6, 10.2.3-h14, 10.2.4-h32, 10.2.5-h9, 10.2.6-h6, 10.2.7-h18, 10.2.8-h15, 10.2.9-h16, 10.2.10-h9, 10.2.11-h6, & 10.2.12-h2 |
Indicators of Compromise
Palo Alto’s Unit 42 has also provided the following IOCs to help organizations detect this activity in their own environments:
IP addresses (many of these are VPN related)
91.208.197[.]167
136.144.17[.]146
136.144.17[.]149
136.144.17[.]154
136.144.17[.]161
136.144.17[.]164
136.144.17[.]166
136.144.17[.]167
136.144.17[.]170
136.144.17[.]176
136.144.17[.]177
136.144.17[.]178
136.144.17[.]180
173.239.218[.]251
209.200.246[.]173
209.200.246[.]184
216.73.162[.]69
216.73.162[.]71
216.73.162[.]73
216.73.162[.]74
SHA256 file hash
3c5f9034c86cb1952aa5bb07b4f77ce7d8bb5cc9fe5c029a32c72adc7e814668
The file hash mentioned above is a PHP webshell that was found on a compromised firewall device.
How Beazley Security is responding
Beazley Security is monitoring client perimeter devices through our Karma product to identify impacted devices and support organizations in remediation of any issues found.