Palo Alto PAN-OS Exploited Authentication Bypass: What BreachRisk customers need to know

Palo Alto has observed threat actors deploying malware and running commands on compromised devices, indicating the existence of a publicly available exploit chain. BreachRisk can detect this threat and is initiating priority detection indications to customers. (CVE-2024-0012, CVE-2024-9474)

This is a developing situation, and this article will be updated as more information becomes available, and some information may change.

Background

Some Palo Alto Networks firewalls appear to have been compromised in attacks related to two recently patched zero-day vulnerabilities.

More background information will be available soon.

Impact and Likelihood

There are 2 separate but related vulnerabilities involved.

CVE-2024-0012: Authentication bypass in the Management Web Interface

According to the National Vulnerability Database, a successful attack has a high impact to confidentiality, integrity, and availability. For attackers, it appears that likelihood is high.

CVE-2024-9474: Privilege Escalation Vulnerability in the Web Management Interface

According to the National Vulnerability Database, a successful attack has a high impact to  confidentiality, integrity, and availability. For attackers, it appears that likelihood is low to moderate when attempted alone, but high when chained with CVE-2024-0012.

Affected Applications

Palo Alto reports that PAN-OS 10.2, 11.0, 11.1, 11.2 are affected. For CVE-2024-9474, PAN-OS 10.1 is also affected.

What we are doing

BreachBits has analyzed this threat and this threat can be detected by BreachRisk™ services. We are still determining if the threat can be verified and tested. Our team will continue to monitor this issue and will notify customers if the situation changes.

What You Should Do

Fixes for both vunerabilities are available. Refer to https://unit42.paloaltonetworks.com/cve-2024-0012-cve-2024-9474/

Consider taking the following actions, especially if you are not a BreachRisk™ customer.:

1. Identify if the threat is present on your systems.

2. Pinpoint where you are affected.

3. Consider how your business would be impacted if the affected element were to be shut down, breached, or taken over by an attacker.

4. Determine if this risk is significant enough to divert resources from other efforts, and make a decision to attempt a fix or not.

5. If you attempt to fix, follow up to verify the fix was applied. You may need to repeat this cycle as more information emerges.

Now that the vulnerability is public, be on the lookout for further guidance from software developers and security firms.

If you are a BreachRisk™ Subscriber

If you are a BreachRisk™ for Business customer, we are already examining your external attack surface. You should also do the following:

1. Check your email over the next 48 hours for a summary of whether we believe you are affected or not.

2. Provide any IT infrastructure that we haven't already discovered via the Verifications page on your Dashboard. This will allow us to identify more of the attack pathways that are accessible from the internet.

3. Enable Penetration Testing if you have a Pro or Premium subscription. This will allow us to test any attack pathways we identify to see if an attacker can achieve a breach.

4. Since we are inspecting your external attack surface, you should have your security team search your internal systems, which we may not be able to see.

5. If you need any assistance or questions, contact us at support@breachbits.com.

If you are a BreachRisk™ Portfolio or BreachRisk™ for Service Providers client, consider contacting the companies in your portfolio and encourage them to take the steps above if they haven't already. You can also monitor your companies for a sharp risk in their BreachRisk™ Score, which may indicate an affected company.

What Happens Next

We will determine if we can verify and test this threat. We will continue to monitor this issue and update this web log if the situation changes.

Further Reading and What We're Reading

• https://unit42.paloaltonetworks.com/cve-2024-0012-cve-2024-9474/

• https://www.linkedin.com/pulse/warning-over-2000-palo-alto-networks-devices-compromised-nsaxe/

• https://security.paloaltonetworks.com/CVE-2024-0012

• https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2024-0012&vector=AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H&version=3.1&source=NIST

• https://security.paloaltonetworks.com/CVE-2024-9474

• https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?name=CVE-2024-9474&vector=AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H&version=3.1&source=NIST

  
  

Update Log

• 23 Nov 2024, initial publish