Summary
Palo Alto Networks published an urgent security advisory Monday, November 18 as CVE-2024-0012, detailing an authentication bypass in their PAN-OS software which allows an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges.
Exploiting this critical vulnerability, ranked at CVSSv4 9.3, could allow the attacker to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474.
Mitigation involves both securing access to the management web interface, and updating PAN-OS to the patched version.
Vulnerability and Exploit Details
Palo Alto Networks noted that they observed threat activity exploiting the vulnerability against a limited number of management web interfaces that are exposed to internet traffic coming from outside the network.
The best and most effective immediate mitigation is to lock down access to the management web interface to controlled networks and known/trusted IP addresses to prevent external access from the Internet.
The issue is applicable to:
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
Cloud NGFW and Prisma Access are not affected.
While the Palo Alto security advisory is light on details for the bug, vulnerability researchers WatchTwr published an extensive writeup titled “Pots and Pans, AKA an SSLVPN” detailing the nature of what’s going on under the hood to allow the authentication bypass as well as the accompanying privilege escalation.
Using the patches release by Palo Alto, they were able to diff the changes made to the PHP application that powers the management web interface and determine that the nginx X-Pan-Authcheck header could be toggled to “off,” allowing the bypass.
What To Do
From Palo Alto’s security advisory for CVE-2024-0012:
Recommended Mitigation
The vast majority of firewalls already follow Palo Alto Networks and industry best practices. However, if you haven’t already, we strongly recommend that you secure access to your management interface according to our best practice deployment guidelines. Specifically, you should restrict access to the management interface to only trusted internal IP addresses to prevent external access from the internet.
Additionally, if you have a Threat Prevention subscription, you can block these attacks using Threat IDs 95746, 95747, 95752, 95753, 95759, and 95763 (available in Applications and Threats content version 8915-9075 and later). For these Threat IDs to protect against attacks for this vulnerability,
- Enable threat prevention on the inbound traffic to management services.
- Ensure that all the listed Threat IDs are set to block mode.
- Route incoming traffic for the MGT port through a DP port, e.g., enabling management profile on a DP interface for management access.
- Replace the Certificate for Inbound Traffic Management.
- Decrypt inbound traffic to the management interface so the firewall can inspect it.
- Enable threat prevention on the inbound traffic to management services.
Sources
- Palo Alto Unit 42 Threat Brief Operation Lunar Peek
https://unit42.paloaltonetworks.com/cve-2024-0012-cve-2024-9474/ - Palo Alto Security Advisory CVE-2024-0012
https://security.paloaltonetworks.com/CVE-2024-0012 - Palo Alto Security Advisory CVE-2024-9474
https://security.paloaltonetworks.com/CVE-2024-9474 - WatchTwr Blog Analysis of “Pots and Pans” Double CVE
https://labs.watchtowr.com/pots-and-pans-aka-an-sslvpn-palo-alto-pan-os-cve-2024-0012-and-cve-2024-9474/