Critical firewall bug: Over 2000 Palo Alto devices already cracked worldwide
There are only a few dozen people affected in German-speaking countries, but two countries have been hit particularly hard. Exploits are now public.
(Image: whiteMocca/Shutterstock.com)
Due to a critical security error in Palo Alto firewalls, over 2,000 devices worldwide have now been taken over by attackers. The Shadowserver Project has established this through its own measurements. Ironically, the manufacturer of the devices only considers it possible, but not proven, that public exploits for the gap exist.
Palo Alto, meanwhile, promises maximum transparency in the handling of the vulnerability, which is based on two different but interlinked errors in the web GUI and the web server configuration of the firewalls. The errors have now been fixed with patches. It is unclear whether once compromised devices are safe after the update.
(Image:Â The Shadowserver Foundation)
The USA is particularly affected by CVE-2024-0012 and CVE-2024-9474 with over 550 devices on November 20, followed by India with 460. With only 15 compromised devices, Germany apparently got off relatively lightly, while in Switzerland the Shadowserver Project scans only detected eight devices. Firewalls in Austria are apparently completely unscathed.
Yesterday, November 21, many admins had apparently already reacted and removed affected devices from the network or updated them. The numbers have halved within a day. However, a stale aftertaste remains: How long did criminal and state attackers have secret knowledge of the security gaps?
Videos by heise
Palo Alto is moderately secure
Palo Alto's IT security researchers from Department 42 wrote in an updated assessment on November 20 that the existence of a functioning exploit could be attested with medium to high accuracy. This assessment raised eyebrows, as the blog article published by Watchtowr Labs the day before contained a practically complete example exploit (proof of concept).
Furthermore, despite their assurances of transparency, the Palo Alto employees do not respond to reports that malicious code for the firewalls was already for sale three weeks ago. And the fact that CISA has also been warning of active attacks for days does not seem to provide any more clarity for "Unit 42".
(cku)
