By security practitioners, for security practitioners novacoast federal | Apex Program | novacoast | about innovate
By security practitioners, for security practitioners

Palo Alto Recommends Urgent Mitigation For Authentication Bypass Vulnerability in PAN-OS

Summary

Palo Alto Networks published an urgent security advisory Monday, November 18 as CVE-2024-0012, detailing an authentication bypass in their PAN-OS software which allows an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges.

Exploiting this critical vulnerability, ranked at CVSSv4 9.3, could allow the attacker to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474.

Mitigation involves both securing access to the management web interface, and updating PAN-OS to the patched version.

Vulnerability and Exploit Details

Palo Alto Networks noted that they observed threat activity exploiting the vulnerability against a limited number of management web interfaces that are exposed to internet traffic coming from outside the network.

The best and most effective immediate mitigation is to lock down access to the management web interface to controlled networks and known/trusted IP addresses to prevent external access from the Internet.

The issue is applicable to:

  • PAN-OS 10.2
  • PAN-OS 11.0
  • PAN-OS 11.1
  • PAN-OS 11.2

Cloud NGFW and Prisma Access are not affected.

While the Palo Alto security advisory is light on details for the bug, vulnerability researchers WatchTwr published an extensive writeup titled “Pots and Pans, AKA an SSLVPN” detailing the nature of what’s going on under the hood to allow the authentication bypass as well as the accompanying privilege escalation.

Using the patches release by Palo Alto, they were able to diff the changes made to the PHP application that powers the management web interface and determine that the nginx X-Pan-Authcheck header could be toggled to “off,” allowing the bypass.

What To Do

From Palo Alto’s security advisory for CVE-2024-0012:

The vast majority of firewalls already follow Palo Alto Networks and industry best practices. However, if you haven’t already, we strongly recommend that you secure access to your management interface according to our best practice deployment guidelines. Specifically, you should restrict access to the management interface to only trusted internal IP addresses to prevent external access from the internet.

Additionally, if you have a Threat Prevention subscription, you can block these attacks using Threat IDs 95746, 95747, 95752, 95753, 95759, and 95763 (available in Applications and Threats content version 8915-9075 and later). For these Threat IDs to protect against attacks for this vulnerability,

Sources

  1. Palo Alto Unit 42 Threat Brief Operation Lunar Peek
    https://unit42.paloaltonetworks.com/cve-2024-0012-cve-2024-9474/
  2. Palo Alto Security Advisory CVE-2024-0012
    https://security.paloaltonetworks.com/CVE-2024-0012
  3. Palo Alto Security Advisory CVE-2024-9474
    https://security.paloaltonetworks.com/CVE-2024-9474
  4. WatchTwr Blog Analysis of “Pots and Pans” Double CVE
    https://labs.watchtowr.com/pots-and-pans-aka-an-sslvpn-palo-alto-pan-os-cve-2024-0012-and-cve-2024-9474/

Previous Post

Weekly Top 10: 11.18.2024: Microsoft Exchange Adds Warning to Emails Abusing Spoofing Flaw; Evasive ZIP Concatenation: Trojan Targets Windows Users; Microsoft November 2024 Patch Tuesday Fixes 4 Zero-Days, 89 Flaws, and More.

Next Post

Why is DDoS Still So Effective After 20 Years?

Innovate uses cookies to give you the best online experience. If you continue to use this site, you agree to the use of cookies. Please see our privacy policy for details.