A SenseOn Advisory: PAN-OS zero-day vulnerabilities CVE-2024-9474 & CVE-2024-0012

Written By Daniela Lopez

Background

On the 18th of November 2024, Palo Alto published advisories disclosing two vulnerabilities affecting the Web Management Interface in PAN-OS. The most critical of these vulnerabilities is CVE-2024-0012[1] with a severity rating of 9.3. Exploitation of this vulnerability allows a remote, unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges. The attacker can then perform administrative actions, tamper with the configuration and perform further malicious activities. 

Once access is gained, the attacker can also take advantage of the authenticated privilege escalation vulnerability CVE-2024-9474[2]. This vulnerability allows an administrator with access to the management interface to perform actions on the firewall with root privileges.

Affected Products and Versions

The following table contains a list of the affected products and versions, along with the fixed or unaffected versions.

Detection

SenseOn’s approach against threats is to provide a mixture of behavioural analysis and machine learning to identify behaviours such as lateral movement, command and control (C2) traffic and data exfiltration. This allows us to provide coverage across the estate for post-breach activities likely to be seen following the exploitation of these vulnerabilities.

If you are an existing SenseOn customer, our analysts are actively performing threat hunts across environments to identify any indicators of compromise associated with this vulnerability. Any findings that indicate a potential compromise will be escalated to all affected customers accordingly.

Mitigation & Remediation

Threat activity that exploits these vulnerabilities has been observed against a limited number of management web interfaces which are externally exposed.

The following steps are provided to identify affected devices in Palo Alto Internet scans:

  • Visit the Assets section of Customer Support Portal at https://support.paloaltonetworks.com (Products → Assets → All Assets → Remediation Required).

  • The list of the known devices with an internet-facing management interface are tagged with PAN-SA-2024-0015. If no such devices are listed, it indicates the scan did not find any devices with internet-facing management interface in the last three days.

To mitigate these vulnerabilities, SenseOn strongly recommends utilising best practices for all web UI management interfaces, in which they should also not be exposed to the Internet or untrusted networks, and access should be allowed through solutions such as an allowlist.

Furthermore, remediation for both vulnerabilities is available by applying updates provided by Palo Alto. SenseOn recommends that customers update PAN-OS to the latest versions to ensure all vulnerabilities are patched. 

These vulnerabilities are patched in PAN-OS 10.1.14-h6, PAN-OS 10.2.12-h2, PAN-OS 11.0.6-h1, PAN-OS 11.1.5-h1, PAN-OS 11.2.4-h1, and all later PAN-OS versions[1][2]. For more information on affected versions, please see Affected Products and Versions section.

Frequently Asked Questions

How can I find further information or assistance regarding this threat?

  • Palo Alto is tracking the activity as Operation Lunar Peek, and has shared indicators of compromise (IoCs), including IP addresses and a hash associated with a PHP webshell payload dropped on compromised firewalls[3].

How can I best mitigate this threat?

  • SenseOn recommends updating PAN-OS to the latest versions provided by Palo Alto to minimise exposure and prevent attackers from successfully exploiting the vulnerabilities. Additionally, we strongly recommend securing access to the management interface by disabling access from the internet or any untrusted network.[1][2]

  • Please view the Affected products and versions and Mitigation sections for a listing of up-to-date versions and mitigation steps.

Sources

  1. PAN PSIRT. (2024, November 18). CVE-2024-0012 PAN-OS: Authentication Bypass in the Management Web Interface (PAN-SA-2024-0015). Paloaltonetworks.com. https://security.paloaltonetworks.com/CVE-2024-0012

  2. PAN PSIRT. (2024, November 18). CVE-2024-9474 PAN-OS: Privilege Escalation (PE) Vulnerability in the Web Management Interface. Paloaltonetworks.com. https://security.paloaltonetworks.com/CVE-2024-9474

  3. Unit 42. (2024, November 20). Threat Brief: Operation Lunar Peek, Activity Related to CVE-2024-0012 and CVE-2024-9474 (Updated Nov. 19). Unit 42. https://unit42.paloaltonetworks.com/cve-2024-0012-cve-2024-9474

Daniela Lopez
Next

How Are You Covering These New DORA ICT Resilience Requirements?