Palo-Alto: Unpatched zero-day for security appliances has surfaced

Administrators of Palo Alto firewalls can expect new trouble. An exploit is now being sold on an underground forum for a security vulnerability that was reported by the manufacturer last week. Palo Alto has expanded its security notice accordingly, but has not provided any patches. Those affected should remove the web administration interface from the Internet.

The vulnerability is hidden in the web GUI and allows unannounced attackers to inject their own code, according to the security advisory. However, it is stingy with details or a CVE ID, but the CVSS score of 9.3 gives an idea of how sensitive the bug is. It can be easily exploited remotely by attackers who do not require a login – and without the help of a legitimate user. Exploits with such a description are ideal for automated exploitation.

Exploit code on offer

And apparently this is already happening, because attack code is for sale in the underground forum "Exploit". Palo Alto has already identified three VPN addresses that have apparently successfully exploited the vulnerability, with more likely to follow. The attackers uploaded a "webshell", i.e. a script for executing arbitrary commands via a web interface, to the compromised devices.

Thefirst reports of the vulnerability were made last week, but administrators have been searching in vain for patches or exact version information on the Palo Alto website. The manufacturer simply states that you should use the device management in your own support account to find out which devices require attention. The management interface must not be accessible via the Internet, which according to various Internet-wide scans is still the case for between 9,000 and 31,000 Palo Alto devices.

Palo Alto – like other security appliance manufacturers – currently has a significant number of security vulnerabilities, some of which are critical, such as the recent flaws in Palo Alto Expedition.

(cku)