Follow-Up: Arctic Wolf Observes Ongoing Exploitation of Critical Palo Alto Networks Vulnerability CVE-2024-0012 Chained with CVE-2024-9474

On 19 November 2024, Arctic Wolf began observing active exploitation of the recently-disclosed CVE-2024-0012 and CVE-2024-9474 vulnerabilities impacting Palo Alto Networks PAN-OS software. When chained together, these vulnerabilities allow an unauthenticated threat actor with network access to the management web interface to gain administrator privileges. Exploitation could enable threat actors to perform administrative actions, modify configurations, or leverage other authenticated privilege escalation vulnerabilities. Since our last bulletin regarding these vulnerabilities, the following has occurred: 

• We have detected exploitation of CVE-2024-9474 chained with CVE-2024-0012 in customer environments. While CVE-2024-9474 is classified as a medium-severity vulnerability on its own, exploiting CVE-2024-0012 allows a threat actor to bypass authentication and gain PAN-OS administrator access to the management web interface, allowing them to escalate privileges and perform actions on the firewall with root privileges. 

• Upon successful exploitation, we have observed threat actors attempting to transfer tools into the environment and exfiltrate config files from the compromised devices. 

• On 19 November 2024, new technical details of CVE-2024-0012 and CVE-2024-9474 were publicly disclosed by WatchTowr, which included Proof-of-Concept (PoC) exploit code. 

• PAN has further specified that CVE-2024-0012 only affects PA-Series, VM-Series, and CN-Series firewalls running PAN-OS versions 10.2, 11.0, 11.1, and 11.2, as well as Panorama (virtual and M-Series) and WildFire appliances. 

• In addition to identical impacted products, CVE-2024-9474 impacts PAN-OS 10.1. 

Arctic Wolf assesses with high confidence that threat actors will continue targeting this vulnerability due to a PoC exploit being made available publicly, which lowers the barrier to exploitation. Additionally, publicly exposed firewalls are an attractive target due to the risk of exfiltrating sensitive data and conducting further lateral movement in compromised environments. Earlier this year when threat actors exploited GlobalProtect, Palo Alto Networks devices were shown to be an attractive target to threat actors. 

Recommendations

Upgrade to Latest Fixed Version

Arctic Wolf strongly recommends that customers upgrade to one of the latest available fixed versions. 

• Note: Cloud NGFW and Prisma Access are not affected by this vulnerability. 

Palo Alto Networks is making patches available for other TAC-preferred and commonly deployed maintenance releases. 

If a device is confirmed to have been exploited, PAN recommends taking the device offline from the internet and contacting their Global Customer Support team to do an Enhanced Factory Reset (EFR) on the affected device. 

Please follow your organisation’s patching and testing guidelines to minimise potential operational impact. 

Secure Management Interface 

Arctic Wolf strongly advises customers to secure their management interfaces by restricting access to trusted internal IP addresses and blocking access from the internet. 

To assist with this, customers can identify publicly exposed assets (tagged with PAN-SA-2024-0015) and take appropriate action if any are found. This can be done by navigating to https://support.paloaltonetworks.com and following the path: Products → Assets → All Assets → Remediation Required. 

• Restricting access to a jump box as the only system allowed to access the management interface reduces the exploitation risk to a CVSS severity of 5.9, as attacks would require privileged access from approved IP addresses only. 

References 

• PAN Security Advisory (CVE-2024-0012)

• PAN Security Advisory (CVE-2024-9474) 

• CVE-2024-0012 & CVE-2024-9474 Technical Details and PoC