Critical Palo Alto vulnerability: Patches are available, CISA warns of exploit
Almost three weeks after the first exploit rumors, the manufacturer finally responded, but is playing tricks. Meanwhile, the US cyber authority warns of attacks.
(Image: asharkyu/Shutterstock.com)
Following several warnings and attacks that have become public in the meantime, Palo Alto has now released patches for a vulnerability in its PAN-OS operating system that has been known since the beginning of November. The firewall manufacturer has also announced that the software bug used to smuggle code is actually twofold: First, attackers can cheat their way past the login and then inject their own program code into the device.
The exploit circulating in underground forums apparently makes use of both gaps one after the other. The bug labeled CVE-2024-0012 (CVSS 9.3, critical) allows the login to be bypassed and gives an anonymous attacker administrator privileges via the network. With the help of the second bug, CVE-2024-9474 (CVSS 6.9, medium), crackers then smuggle in their own code – in known attacks this was a webshell for executing arbitrary system commands. Both gaps are in the web administration interface of PAN-OS.
Patches and affected versions
Palo Alto has now published two separate security advisories for the vulnerabilities CVE-2024-0012 (code smuggling) and CVE-2024-9474 (privilege escalation). The affected versions of PAN-OS in both cases are 10.1, 10.2, 11.0, 11.1 and 11.2 in all editions.
Videos by heise
The patches have the version numbers
- 11.2.4-h1,
- 11.1.5-h1
- 11.0.6-h1
- 10.2.12-h2 and
- 10.1.14-h6
Administrators of affected devices should apply the patches as soon as possible. Furthermore, as Palo Alto already warned in the original security notice, administration interfaces should not be accessible via the Internet.
The security vulnerabilities in PAN-OS have also attracted the attention of CISA. Since an exploit has been circulating underground since the beginning of November, both CVE-2024-0012 and CVE-2024-9474 have made it into the catalog of "Known Exploited Vulnerabilities".
Date tricks in the advisory
A look at the security advisory with the number PAN-SA-2024-0015 is striking: This was supposedly published on November 18 and was updated on the same day. However, this is incorrect: PAN-SA-2024-0015 actually dates back to November 8 of this year and was merely revised, as a comparison with archived copies proves. This arouses suspicion, as it appears to be a tactic to conceal the manufacturer's actual response time.
(Image:Â heise security / cku)
In addition, the manufacturer contradicts itself regarding the origin of the security vulnerabilities: While the top of the article states that they were "discovered externally", Palo Alto thanks its own "Deep Product Security Research Team" at the bottom for discovering the vulnerability.
The company's own security researchers from "Unit 42" have also presented their findings, but they offer little added value. Early Tuesday morning, the report only contained a few additional IP addresses of various VPN providers as "Indicators of Compromise" as well as contact information for those affected. Unit 42 fails to provide any attribution to a known actor (APT) or clear indications of the attackers' approach.
(cku)
