- If ChatGPT produces AI-generated code for your app, who does it really belong to?
- The best iPhone power banks of 2024: Expert tested and reviewed
- The best NAS devices of 2024: Expert tested
- Four Ways to Harden Your Code Against Security Vulnerabilities and Weaknesses
- I converted this Windows 11 Mini PC into a Linux workstation - and didn't regret it
CVE-2024-0012, CVE-2024-9474: Zero-Day Vulnerabilities in Palo Alto PAN-OS Exploited In The Wild
Palo Alto Networks confirmed two zero-day vulnerabilities were exploited as part of attacks in the wild against PAN-OS devices, with one being attributed to Operation Lunar Peek.
Background
On November 18, Palo Alto Networks updated its advisory (PAN-SA-2024-0015) for a critical flaw in its PAN-OS software to include a CVE identifier:
CVE | Description | CVSS |
---|---|---|
CVE-2024-0012 | PAN-OS Authentication Bypass Vulnerability | 9.3 |
In addition to CVE-2024-0012, Palo Alto Networks assigned a second CVE for a privilege escalation vulnerability (CVE-2024-9474).
CVE | Description | CVSS |
---|---|---|
CVE-2024-9474 | PAN-OS Privilege Escalation Vulnerability | 6.9 |
Analysis
CVE-2024-0012 is an authentication bypass vulnerability in the management web interface of PAN-OS devices. An unauthenticated, remote attacker could exploit this vulnerability to obtain administrator privileges on the vulnerable PAN-OS device, enabling follow-on activity including modifying device configuration, accessing other administrative functions as well as exploiting other vulnerabilities, such as CVE-2024-9474.
CVE-2024-9474 is a privilege escalation vulnerability in the web management interface of PAN-OS devices. An authenticated, remote attacker could exploit this vulnerability to gain root privileges on the firewall.
While not explicitly referenced in its advisory, based on the description, it is believed that CVE-2024-0012 and CVE-2024-9474 may have been used as part of an exploit chain.
Attributed to Operation Lunar Peek
In a threat brief about the vulnerabilities, Palo Alto Networks’ Unit 42 have attributed the exploitation of CVE-2024-0012 to a campaign they call Operation Lunar Peek. As of November 18, no specific details have yet to be shared about Operation Lunar Peek or attribution to a specific threat actor or country of origin.
While Unit 42 did not explicitly connect CVE-2024-9474 to this operation, they reference this flaw as part of follow-on activity and have stated they’ve “observed threat activity that exploits this vulnerability against a limited number of management web interfaces.”
Initial advisory published on November 8
PAN-SA-2024-0015 was first published on November 8, following reports of a zero-day vulnerability affecting the management interfaces of PAN-OS devices. Reports indicate that someone was selling access to a zero-day in PAN-OS. It wasn’t until November 14 that Palo Alto Networks confirmed “threat activity” associated with this zero-day.
Proof of concept
At the time this blog post was published, there was no proof-of-concept (PoC) available for this vulnerability.
Solution
The following table contains a list of affected and fixed versions of PAN-OS:
Product | CVE-2024-0012 | CVE-2024-9474 | Fixed Version |
---|---|---|---|
PAN-OS 10.1 | Not Affected | 10.1.14-h4 and below | 10.1.14-h6 and above |
PAN-OS 10.2 | 10.2.12-h1 and below | 10.2.12-h1 and below | 10.2.12-h2 and above |
PAN-OS 11.0 | 11.0.5-h2 and below | 11.0.5-h2 and below | 11.0.6-h1 and above |
PAN-OS 11.1 | 11.1.4-h7 and below | 11.1.4-h7 and below | 11.1.5-h1 and above |
PAN-OS 11.2 | 11.2.3-h3 and below | 11.2.3-h3 and below | 11.2.4-h1 and above |
Cloud NGFW | Not Affected | Not Affected | – |
Prsima Access | Not Affected | Not Affected | – |
Equally as important as applying patches, organizations that utilize PAN-OS devices should secure the management web interface to prevent external access, opting instead to limit access to trusted internal IP addresses. For more information, please refer to Palo Alto’s guide, Tips & Tricks: How to Secure the Management Access of Your Palo Alto Networks Device.
Identifying affected systems
A list of Tenable plugins for this vulnerability can be found on the individual CVE pages for CVE-2024-0012 and CVE-2024-9474 as they’re released. These links will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.
Get more information
Join Tenable’s Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.