Palo Alto Networks tackles firewall-busting zero-days with critical patches

Palo Alto Networks (PAN) finally released a CVE identifier and patch for the zero-day exploit that caused such a fuss last week.

The vendor dropped details of two vulnerabilities exploited as zero-days. The first, tracked as CVE-2024-0012, an authentication bypass bug, has a 9.3 (critical) severity rating, and users are encouraged to upgrade to one of the many patched maintenance versions of PAN-OS with the highest degree of urgency.

The second, CVE-2024-9474, carries a less severe 6.9 (medium) severity rating and is classified as a privilege escalation bug. Like the first bug, it also affects the PAN-OS management interface but also allows attackers to gain admin access and perform actions as root.

Both advisories for CVE-2024-0012 and CVE-2024-9474 detail the specific versions that are deemed safe. They contain a list of the latest versions available and a limited number of earlier iterations that are more commonly deployed.

PAN warned customers on Thursday that it was aware of a remote command execution bug being actively exploited on various publicly exposed firewall interfaces and a fix was coming soon.

While customers awaited a proper patch, PAN implored customers to "immediately" revoke public internet access to the management interface if it wasn't already and ensure only trusted internal IPs could access it.

The risk of the exploit working was "greatly reduced" if these steps were taken at the end of last week.

You'll notice that the description of CVE-2024-0012 – "authentication bypass" – differs from the wording used when PAN teased it last week as a command execution issue.

It isn't clear why the definition has changed. However, the admission that it can be used in conjunction with vulnerabilities like CVE-2024-9474 suggests that PAN discovered it wasn't the sole cause of the exploit activity detected last week. Rather, it could have been chained with the second zero-day, which does allow attackers to execute commands.

While PAN didn't explicitly say the two vulnerabilities were being chained, the researchers over at watchTowr appeared to assume they were.

They wrote in a blog: "This is a pair of bugs, described as 'authentication bypass in the management web interface' and a 'privilege escalation' respectively, strongly suggesting they are used as a chain to gain superuser access, a pattern that we've seen before with Palo Alto appliances."

The researchers added that for CVE-2024-0012, they were able to exploit it by supplying the x-pan-authcheck header with the value "off" in an HTTP request, disabling device authentication.

From there, they then showed how CVE-2024-9474 relies on PHP and could then be exploited using a series of specially crafted requests, falling just short of publishing a full proof-of-concept code – unlike watchTowr's usual style – thereby allowing admins to apply the necessary patches.

• Swiss cheesed off as postal service used to spread malware
• Mystery Palo Alto Networks hijack-my-firewall zero-day now officially under exploit
• Five Eyes infosec agencies list 2023's most exploited software flaws
• Microsoft slips Task Manager and processor count fixes into Patch Tuesday

"So, yet another super-duper secure next-generation hardened security appliance popped," watchTowr commented.

"This time it's due to those pesky backticks, combined with the super-complicated step of simply asking the server not to check our authentication via x-pan-authcheck.

"It's amazing that these two bugs got into a production appliance, amazingly allowed via the hacked-together mass of shell script invocations that lurk under the hood of a Palo Alto appliance."

As of Monday, PAN said it was tracking a "limited set of exploitation activity" without going into any great detail about the scale at which the flaws were being attacked, or by whom, although it was said to be still ongoing.

"Palo Alto Networks has identified threat activity targeting a limited number of device management web interfaces," the vendor said. "This activity has primarily originated from IP addresses known to proxy/tunnel traffic for anonymous VPN services.

"Palo Alto Networks is still actively investigating and remediating this activity. Observed post-exploitation activity includes interactive command execution and dropping malware, such as webshells, on the firewall."

According to internet security organization The Shadowserver Foundation, the number of exposed devices running PAN-OS stood at 6,605. That's based on data from November 18, the latest available. The largest number of exposures were in Asia, closely followed by North America. ®