Palo Alto Networks

Palo Alto Networks has finally released security updates for two actively exploited zero-day vulnerabilities in its Next-Generation Firewalls (NGFW).

The first flaw, tracked as CVE-2024-0012, is an authentication bypass found in the PAN-OS management web interface that remote attackers can exploit to gain administrator privileges without requiring authentication or user interaction.

The second one (CVE-2024-9474) is a PAN-OS privilege escalation security flaw that allows malicious PAN-OS administrators to perform actions on the firewall with root privileges.

While CVE-2024-9474 was disclosed today, the company first warned customers on November 8 to restrict access to their next-generation firewalls because of a potential RCE flaw tagged last Friday as CVE-2024-0012.

“Palo Alto Networks observed threat activity that exploits this vulnerability against a limited number of management web interfaces that are exposed to internet traffic coming from outside the network,” the company warned today regarding both zero-days.

“Palo Alto Networks has actively monitored and worked with customers to identify and further minimize the very small number of PAN-OS devices with management web interfaces exposed to the Internet or other untrusted networks, ” it added in a separate report providing indicators of compromise for ongoing attacks targeting the flaws.

While the company says these zero-days impact only a “very small number” of firewalls, threat monitoring platform Shadowserver reported on Friday that it’s tracking more than 8,700 exposed PAN-OS management interfaces.

Palo Alto PAN-OS exposed management interfaces
Palo Alto PAN-OS exposed management interfaces (Shadowserver)

Macnica threat researcher Yutaka Sejiyama also told BleepingComputer that he found over 11,000 IP addresses running Palo Alto PAN-OS management interfaces exposed online using Shodan. According to Shodan, the most vulnerable devices are in the United States, followed by India, Mexico, Thailand, and Indonesia.

The U.S. cybersecurity agency added the CVE-2024-0012 and CVE-2024-9474 vulnerabilities to its Known Exploited Vulnerabilities Catalog and ordered federal agencies to patch their systems within three weeks by December 9.

In early November, CISA also warned of ongoing attacks exploiting a critical missing authentication vulnerability (CVE-2024-5910) in the Palo Alto Networks Expedition firewall configuration migration tool, a flaw patched in July that threat actors can remotely exploit it to reset application admin credentials on Internet-exposed Expedition servers.

“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” CISA warns.

Source: www.bleepingcomputer.com