Last updated at Tue, 19 Nov 2024 14:08:24 GMT

On Friday, November 8, 2024, cybersecurity firm Palo Alto Networks (PAN) published a bulletin (PAN-SA-2024-0015) advising firewall customers to take steps to secure their firewall management interfaces amid unverified rumors of a possible new vulnerability. Rapid7 threat intelligence teams have also been monitoring rumors of a possible zero-day vulnerability, but those rumors were previously unsubstantiated.

Late in the evening of Thursday, November 14, the Palo Alto Networks advisory was updated to note that PAN had “observed threat activity exploiting an unauthenticated remote command execution vulnerability against a limited number of firewall management interfaces which are exposed to the Internet.” The firm indicated they were actively investigating. The issue was unpatched and had no CVE at time of writing (this has now changed).

Exploitation update: On Monday, November 18, Palo Alto Networks Unit42 released further details the threat activity they observed, which the firm is tracking under the designation "Lunar Peek."  

CVE and fix update: As of Monday, November 18, two CVEs have been assigned for the attacker behavior PAN observed. CVE-2024-0012 (advisory) is an authentication bypass in PAN-OS management web interfaces. It has a CVSS score of 9.3. CVE-2024-9474 (advisory) is a privilege escalation vulnerability in the PAN-OS web management interface that allows administrators to perform actions on the firewall with root privileges. It has a CVSS score of 6.9. The two vulnerabilities can be chained by adversaries to bypass authentication on exposed management interfaces and escalate privileges.

Note: While neither advisory explicitly indicates that the impact of chaining the two vulnerabilities is fully unauthenticated remote code execution as root, it seems likely from the description of the issues and the inclusion of a webshell (payload) in IOCs that adversaries may be able to achieve RCE.

Per the vendor bulletin and Unit42:

  • Risk of exploitation is believed to be limited if access to the management interface access was restricted
  • If the firewall management interface was exposed to the internet, PAN advises customers to monitor for suspicious threat activity (e.g., unrecognized configuration changes or users)
  • Prisma Access and Cloud NGFW are not affected (confirmed November 18)

On Saturday, November 16, PAN added a small number of indicators of compromise (IOCs) to their advisory. IOCs include several IP addresses, which PAN noted could represent legitimate user activity from third-party VPNs, and a webshell checksum. The Unit42 threat analysis released on November 18 contains additional IOCs. Please refer to the Unit42 blog for the latest IOCs.

Affected products

The following versions of PAN-OS are vulnerable to CVE-2024-0012, per the vendor advisory. Customers should apply updates as soon as possible, without waiting for a regular patch cycle to occur.

  • < 11.2.4-h1 (update to 11.2.4-h1 or later to mitigate)
  • < 11.1.5-h1 (update to 11.1.5-h1 or later to mitigate)
  • < 11.0.6-h1 (update to 11.0.6-h1 or later to mitigate)
  • < 10.2.12-h2 (update to 10.2.12-h2 or later to mitigate)

PAN-OS 10.1, Prisma Access, and Cloud NGFW are not affected. Note: Additional fixes and guidance are specified in the advisory.

The following versions of PAN-OS are vulnerable to CVE-2024-9474, per the vendor advisory. Customers should apply updates as soon as possible, without waiting for a regular patch cycle to occur.

  • < 11.2.4-h1 (update to 11.2.4-h1 or later to mitigate)
  • < 11.1.5-h1 (update to 11.1.5-h1 or later to mitigate)
  • < 11.0.6-h1 (update to 11.0.6-h1 or later to mitigate)
  • < 10.2.12-h2 (update to 10.2.12-h2 or later to mitigate)
  • < 10.1.14-h6 (update to 10.1.14-h6 or later to mitigate)

Prisma Access and Cloud NGFW are not affected. Note: Additional fixes and guidance are specified in the advisory.

Mitigation guidance

Customers should update to fixed versions of PAN-OS as soon as possible to mitigate the risk of exploitation for CVE-2024-0012 and CVE-2024-9474.

Palo Alto Networks customers should ensure access to the firewall management interface is configured correctly in accordance with PAN’s recommended best practice deployment guidelines — namely, that access is restricted to trusted internal IPs only and the management interface is not exposed or accessible to the internet. More guidance is available here.

The Palo Alto Networks advisory also has directions on identifying internet-facing management interfaces and/or devices that may otherwise require remediation action. Rapid7 strongly recommends reviewing the advisory and configuration guidance in addition to the IOCs PAN released.

We will update this blog with further information as it becomes available, but as always, we encourage Palo Alto Networks customers to refer to the vendor advisory for the latest information.

Rapid7 customers

InsightVM and Nexpose customers can assess their exposure to CVE-2024-0012 and CVE-2024-9474 with vulnerability checks available as of the Monday, November 18 content release.

Indicators of compromise

See the Unit42 analysis for the latest list of IOCs related to this attack.

Update timeline

Saturday, November 16: Updated to note availability of IOCs.

Monday, November 18: Updated with CVEs, affected products, and information for Rapid7 customers.

NEVER MISS AN EMERGING THREAT

Be the first to learn about the latest vulnerabilities and cybersecurity news.