CVE-2024-0012/CVE-2024-9474
PanOS Authentication Bypass / Command injection

Le Lab Gatewatcher D

Introduction


 

Remote   
Authenticated   
Default config   
Source  🌍 

 

Affected versions

  • PAN-OS 11.2 (<11.2.4-h1) 
  • PAN-OS 11.1 (<11.1.5-h1) 
  • PAN-OS 11.0 (<11.0.6-h1) 
  • PAN-OS 10.2 (<10.2.12-h2) 
  • PAN-OS 10.1 (<10.1.14-h6) : only for CVE-2024-9474 

 

Details


On November 18, 2024, Palo Alto Networks released two security advisories regarding the operating system used in some of its products.

The first vulnerability, identified as CVE-2024-0012, is classified as critical with a CVSS v4.0 score of 9.3. It allows attackers to bypass authentication on the management interface of affected devices, granting administrative access.

The second vulnerability, CVE-2024-9474, enables actions to be performed on the firewall itself through an administrator account on the management interface. This vulnerability is considered of medium severity, with a CVSS v4.0 score of 6.9.

 

Points to consider regarding the vulnerabilities

First, regarding the second vulnerability: it is important to distinguish between a solution administrator and an administrator account within the solution itself. In this context, a management interface administrator has the necessary rights to manage features provided by the solution (e.g., managing filtering rules, creating users, etc.) but cannot modify the solution’s underlying system. The issue lies in the fact that a management interface user could make unauthorized modifications to the underlying system.

The second point of attention is the combination of these two vulnerabilities. Together, they could allow an attacker with no prior access to take full control of the solution.

Finally, management interfaces are critical components, and security best practices recommend that they should not be directly accessible from the internet. However, the vendor has cross-referenced publicly exposed interfaces with registered devices, marking them as vulnerable in the accounts of affected customers.

 

Timeline of CVE-2024-0012

The first mention of the vulnerability now identified as CVE-2024-0012 by the vendor dates back to November 8, when a recommendation was issued to secure the management interface. However, the vulnerability’s severity was escalated to critical on November 14, after confirmation that it was being exploited by threat actors.

 

Technical analysis by Watchtowr

On November 19, Watchtowr, known for its expertise in “patch diffing” (a technique that compares two software versions to identify changes), published an article detailing the mechanics of these vulnerabilities. This analysis provided additional information, enabling the development of detection rules.

The vulnerabilities stem from inadequate input sanitization:

  • The first vulnerability involves a specific header (X-PAN-AUTHCHECK) that allows authentication bypass.
  • The second vulnerability enables command injection through the manipulation of a username field.

Detection


Thanks to these details, detection rules have been available since November 19.

 
2057705  ET WEB_SPECIFIC_APPS Palo Alto PAN-OS Authentication Bypass (CVE-2024-0012)   
2057706  ET WEB_SPECIFIC_APPS Palo Alto PAN-OS Command Injection in User Parameter   

 

The vendor has also published an article detailing the observed attacks and various Indicators of Compromise (IoCs). 

Patch


The vendor simultaneously released the necessary patches to address the vulnerabilities alongside the CVE announcement.

If a prompt update is not feasible, the vendor recommends restricting access to the management interfaces to a limited range of internal IP addresses.