Update (11/20/2024): Another follow-up bulletin has been published with new updates. Please refer to our updated bulletin for the most current information.
On November 18, 2024, Palo Alto Networks (PAN) released updated information on an actively exploited vulnerability impacting PAN-OS, the operating system that powers PAN firewalls. Originally disclosed last week as a remote command execution vulnerability, this flaw has now been reclassified as an authentication bypass flaw and assigned CVE-2024-0012. It allows an unauthenticated attacker with network access to the management web interface to gain administrator privileges, enabling them to perform administrative actions, alter configurations, or exploit other authenticated privilege escalation vulnerabilities.
According to their security advisory, Prisma Access and Cloud NGFW are not impacted by this issue. To mitigate the risk, PAN strongly advises customers to secure their management interfaces by restricting access to trusted internal IP addresses and ensuring they are not exposed to the internet. Limiting access to specific IPs, such as a jump box, significantly reduces the risk of exploitation.
- In such cases, the vulnerability is reclassified as medium severity (CVSS 5.9), as a threat actor would need prior privileged access to the permitted IPs.
Threat actors are likely to quickly develop proof-of-concept exploits and target this vulnerability due to the significant access they could gain by compromising a publicly exposed firewall. PAN products have historically been attractive targets, with one notable instance earlier this year where threat actors targeted the GlobalProtect feature of PAN-OS.
Recommendations
Upgrade to Latest Fixed Version
Arctic Wolf strongly recommends that customers upgrade to the latest fixed version.
| Product | Affected Version | Fixed Version |
| PAN-OS 11.2 | Versions prior to 11.2.4-h1 | Versions 11.2.4-h1 or later |
| PAN-OS 11.1 | Versions prior to 11.1.5-h1 | Versions 11.1.5-h1 or later |
| PAN-OS 11.0 | Versions prior to 11.0.6-h1 | Versions 11.0.6-h1 or later |
| PAN-OS 10.2 | Versions prior to 10.2.12-h2 | Versions 10.2.12-h2 or later |
- Note: PAN-OS 10.1, Cloud NGFW, and Prisma Access are not affected by this vulnerability.
Palo Alto Networks is making patches available for other TAC-preferred and commonly deployed maintenance releases.
Please follow your organization’s patching and testing guidelines to minimize potential operational impact.
Secure Management Interface
Arctic Wolf strongly advises customers to secure their management interfaces by restricting access to trusted internal IP addresses and blocking access from the internet.
To assist with this, customers can identify publicly exposed assets (tagged with PAN-SA-2024-0015) and take appropriate action if any are found. This can be done by navigating to https://support.paloaltonetworks.com and following the path: Products → Assets → All Assets → Remediation Required.
- Restricting access to a jump box as the only system allowed to access the management interface reduces the exploitation risk to a CVSS severity of 5.9, as attacks would require privileged access from approved IP addresses only.
References
Stay up to date with the latest security incidents and trends from Arctic Wolf Labs.
Explore the latest global threats with the 2024 Arctic Wolf Labs Threats Report.
