Skip to main content

Palo Alto Networks Releases Critical Security Advisory for PAN-OS (CVE-2024-0012)

The security advisory addresses a critical authentication bypass vulnerability in the management web interface

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

The security advisory addresses a critical authentication bypass vulnerability in the management web interface


Threat details

Exploitation of authentication bypass vulnerability CVE-2024-0012

Palo Alto Networks has observed threat activity that exploits this vulnerability against a limited number of management web interfaces that are exposed to internet traffic coming from outside the network. Palo Alto Networks has linked to a Unit 42 vulnerability threat brief, which contains indicators of compromise (IoCs) and exploitation activity related to CVE-2024-0012.


Introduction

Palo Alto Networks has issued a critical severity security advisory for an authentication bypass vulnerability, known as CVE-2024-0012, affecting the PAN-OS management web interface. 

CVE-2024-0012 has a CVSSv4 score of 9.3 when access is allowed to the management interface from external IP addresses on the internet. However, if access is restricted to a jump box that is the only system allowed to access the management interface, the CVSSv4 score would be reduced to 5.9. 

An unauthenticated attacker with network access to the management web interface could gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474.

CVE-2024-0012 could be used with CVE-2024-9474

Palo Alto Networks states that an attacker could use the authentication bypass vulnerability CVE-2024-0012 to exploit other authenticated vulnerabilities like CVE-2024-9474. Palo Alto Networks has released a separate advisory for CVE-2024-9474, describing a privilege escalation vulnerability in the management interface that is being exploited.

Following the actions in this Cyber Alert will remediate both vulnerabilities.


Remediation advice

Affected organisations must review the Palo Alto Networks Security Advisory CVE-2024-0012 PAN-OS: Authentication Bypass in the Management Web Interface (PAN-SA-2024-0015) and apply necessary security updates to remediate against this vulnerability.

To prioritise assets that require action most urgently, use the Palo Alto Networks customer portal to find devices that have an internet-facing management interface, as outlined in the second remediation step below. Additionally, Palo Alto Networks recommend customers follow their guidance on securing access to the management interface to reduce the risk of exploitation. 


Remediation steps

Type Step
Patch

Apply latest security update to one of the following fixed versions:

  • PAN-OS 10.2.12-h2 or later
  • PAN-OS 11.0.6-h1 or later
  • PAN-OS 11.1.5-h1 or later
  • PAN-OS 11.2.4-h1 or later

https://security.paloaltonetworks.com/CVE-2024-0012
Guidance

To find assets that require remediation action, visit the Assets section of the Customer Support Portal at https://support.paloaltonetworks.com (Products → Assets → All Assets → Remediation Required).

Devices with an internet-facing management interface discovered in Palo Alto Networks' scans are tagged with PAN-SA-2024-0015 with a last seen timestamp in UTC. If no such devices are listed, it indicates their scan did not find any devices with internet-facing management interface for your account in the last three days.

Organisations are required to patch all affected platforms, regardless of their identification in the customer portal.


Guidance

Recommended mitigation
The vast majority of firewalls already follow Palo Alto Networks and industry best practices. Palo Alto Networks strongly recommends securing access to management interfaces according to their best practice deployment guidelines. Specifically, access should be restricted to the management interface to only trusted internal IP addresses to prevent external access from the internet.


https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431
Guidance

Palo Alto Networks official and more detailed technical documentation on securing management access to your Palo Alto Networks firewalls.


https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices


Last edited: 18 November 2024 5:03 pm