Mystery Palo Alto Networks hijack-my-firewall zero-day now officially under exploit

A critical zero-day vulnerability in Palo Alto Networks' firewall management interface that can allow an unauthenticated attacker to remotely execute code is now officially under active exploitation.

According to the equipment maker, the vulnerability requires no user interaction or privileges to exploit, and its attack complexity is deemed "low." There's no CVE number assigned to the flaw, which received a 9.3 out of 10 CVSSv4.0 rating, and currently has no patch.

Exploitation potentially allows a miscreant to take control of a compromised firewall, providing further access into a network. That said, the intruder must be able to reach the firewall's management interface, either internally or across the internet.

Palo Alto Networks earlier urged network hardening of its products – recommending locking off access to the interface, basically – after learning of an unverified, mystery remote code execution (RCE) flaw in its devices' PAN-OS some days ago. But in a late Thursday update, it confirmed it "has observed threat activity exploiting an unauthenticated remote command execution vulnerability against a limited number of firewall management interfaces which are exposed to the internet." 

Because of this, customers must "immediately" make sure that only trusted, internal IPs can access the management interface on their Palo Alto firewall systems — and cut off all access to the interface from the open internet. 

Until a software fix becomes available, "securing access to the management interface is the best recommended action," the vendor said. "As we investigate the threat activity, we are preparing to release fixes and threat prevention signatures as early as possible."

The Register has reached out to Palo Alto Networks for additional information about the bug, who is exploiting it, and when it expects to issue a patch. We will update this story when we hear back.

Palo Alto Networks also noted that, as of now, neither Prisma Access nor Cloud NGFW are affected.

To identify any potentially vulnerable devices that require remediation, check out this customer support portal (Products → Assets → All Assets → Remediation Required). The portal displays devices with any internet-facing management interfaces identified by Palo Alto Networks during their scans and tags them with "PAN-SA-2024-0015." If you don't see any devices listed, it indicates that no flagged interfaces were found for your account.

However, "this list may not be complete, so please ensure that you verify that all of your devices are properly configured," the security advisory warns, urging customers to follow best practices.

It's an odd situation because, as other security vendors have also noted, there have been rumors swirling of a possible zero-day bug all week. But until late Thursday, those appeared to be unsubstantiated. We will continue to monitor this story.

• Iran's Pioneer Kitten hits US networks via buggy Check Point, Palo Alto gear
• Five Eyes infosec agencies list 2023's most exploited software flaws
• Microsoft Power Pages misconfigurations exposing sensitive data
• ShrinkLocker ransomware scrambled your files? Free decryption tool to the rescue

Meanwhile, in addition to this as-yet-unnamed CVE, on Thursday the US govt's Cybersecurity and Infrastructure Security Agency (CISA) added two other Palo Alto Networks security holes to its Known Exploited Vulnerabilities Catalog.

These include CVE-2024-9463, a critical, 9.9-CVSS-rated OS command injection vulnerability in Palo Alto Networks Expedition. This one can allow an unauthenticated attacker to run arbitrary OS commands as root and lead to disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.

CISA also added CVE-2024-9465, a 9.2-rated SQL injection vulnerability in Palo Alto Networks Expedition to its catalog of flaws under active attack. This one can be abused by an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys. 

The vendor has issued fixes for both of these flaws. ®