News: 1731704823

  ARM Give a man a fire and he's warm for a day, but set fire to him and he's warm for the rest of his life (Terry Pratchett, Jingo)

Mystery Palo Alto Networks hijack-my-firewall zero-day now officially under exploit

(2024/11/15)


A critical zero-day vulnerability in Palo Alto Networks' firewall management interface that can allow an unauthenticated attacker to remotely execute code is now officially under active exploitation.

According to the equipment maker, the vulnerability requires no user interaction or privileges to exploit, and its attack complexity is deemed "low." There's no CVE number assigned to the flaw, which received a 9.3 out of 10 CVSSv4.0 rating, and currently has no patch.

Exploitation potentially allows a miscreant to take control of a compromised firewall, providing further access into a network. That said, the intruder must be able to reach the firewall's management interface, either internally or across the internet.

[1]

Palo Alto Networks earlier urged network hardening of its products – recommending locking off access to the interface, basically – after learning of an unverified, mystery remote code execution (RCE) flaw in its devices' PAN-OS some days ago. But in a late Thursday [2]update , it confirmed it "has observed threat activity exploiting an unauthenticated remote command execution vulnerability against a limited number of firewall management interfaces which are exposed to the internet."

[3]

[4]

Because of this, customers must "immediately" make sure that only trusted, internal IPs can access the management interface on their Palo Alto firewall systems — and cut off all access to the interface from the open internet.

Until a software fix becomes available, "securing access to the management interface is the best recommended action," the vendor said. "As we investigate the threat activity, we are preparing to release fixes and threat prevention signatures as early as possible."

[5]

The Register has reached out to Palo Alto Networks for additional information about the bug, who is exploiting it, and when it expects to issue a patch. We will update this story when we hear back.

Palo Alto Networks also noted that, as of now, neither Prisma Access nor Cloud NGFW are affected.

To identify any potentially vulnerable devices that require remediation, check out [6]this customer support portal (Products → Assets → All Assets → Remediation Required). The portal displays devices with any internet-facing management interfaces identified by Palo Alto Networks during their scans and tags them with "PAN-SA-2024-0015." If you don't see any devices listed, it indicates that no flagged interfaces were found for your account.

[7]

However, "this list may not be complete, so please ensure that you verify that all of your devices are properly configured," the security advisory warns, urging customers to follow [8]best practices .

It's an odd situation because, as other security vendors have also noted, there have been [9]rumors swirling of a possible zero-day bug all week. But until late Thursday, those appeared to be unsubstantiated. We will continue to monitor this story.

[10]Iran's Pioneer Kitten hits US networks via buggy Check Point, Palo Alto gear

[11]Five Eyes infosec agencies list 2023's most exploited software flaws

[12]Microsoft Power Pages misconfigurations exposing sensitive data

[13]ShrinkLocker ransomware scrambled your files? Free decryption tool to the rescue

Meanwhile, in addition to this as-yet-unnamed CVE, on Thursday the US govt's Cybersecurity and Infrastructure Security Agency (CISA) [14]added two other Palo Alto Networks security holes to its [15]Known Exploited Vulnerabilities Catalog .

These include [16]CVE-2024-9463 , a critical, 9.9-CVSS-rated OS command injection vulnerability in Palo Alto Networks Expedition. This one can allow an unauthenticated attacker to run arbitrary OS commands as root and lead to disclosure of usernames, cleartext passwords, device configurations, and device API keys of PAN-OS firewalls.

CISA also added [17]CVE-2024-9465 , a 9.2-rated SQL injection vulnerability in Palo Alto Networks Expedition to its catalog of flaws under active attack. This one can be abused by an unauthenticated attacker to reveal Expedition database contents, such as password hashes, usernames, device configurations, and device API keys.

The vendor has [18]issued fixes for both of these flaws. ®

Get our [19]Tech Resources



[1] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2ZzfSi4p0bT2mC0zlRIchuQAAAEs&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0

[2] https://security.paloaltonetworks.com/PAN-SA-2024-0015

[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZzfSi4p0bT2mC0zlRIchuQAAAEs&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZzfSi4p0bT2mC0zlRIchuQAAAEs&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44ZzfSi4p0bT2mC0zlRIchuQAAAEs&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0

[6] https://support.paloaltonetworks.com/Support/Index

[7] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_security/cso&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33ZzfSi4p0bT2mC0zlRIchuQAAAEs&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0

[8] https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431

[9] https://www.rapid7.com/blog/post/2024/11/15/etr-zero-day-exploitation-targeting-palo-alto-networks-firewall-management-interfaces/

[10] https://www.theregister.com/2024/08/28/iran_pioneer_kitten/

[11] https://www.theregister.com/2024/11/14/five_eyes_2023_top_vulnerabilities/

[12] https://www.theregister.com/2024/11/15/microsoft_power_pages_misconfigurations/

[13] https://www.theregister.com/2024/11/14/shrinklocker_ransomware_decryptor/

[14] https://www.cisa.gov/news-events/alerts/2024/11/14/cisa-adds-two-known-exploited-vulnerabilities-catalog

[15] https://www.cisa.gov/known-exploited-vulnerabilities-catalog

[16] https://www.cve.org/CVERecord?id=CVE-2024-9463

[17] https://www.cve.org/CVERecord?id=CVE-2024-9465

[18] https://security.paloaltonetworks.com/PAN-SA-2024-0010

[19] https://whitepapers.theregister.com/



Wonder how long before the US CISA stops issuing warnings and recommendations.

elDog

Might as well invite the Saint Petersburg (RU) folks to have a seat in front of one of the US INFOSEC computers. They'll have to elbow their way in past the Israelis, the Chinese.

What do you think a 24-hour session with full admin controls would be worth? Trump and others are interested.

Re: Wonder how long before the US CISA stops issuing warnings and recommendations.

Tom Chiverton 1

who do PA think they are, Cisco?

Here we go again.

Anonymous Coward

Fucks sake, Firewall. You literally had one job to do.

Scratch the disks, dump the core, Shut it down, pull the plug
Roll the tapes across the floor, Give the core an extra tug
And the system is going to crash. And the system is going to crash.
Teletypes smashed to bits. Mem'ry cards, one and all,
Give the scopes some nasty hits Toss out halfway down the hall
And the system is going to crash. And the system is going to crash.
And we've also found Just flip one switch
When you turn the power down, And the lights will cease to twitch
You turn the disk readers into trash. And the tape drives will crumble
in a flash.
Oh, it's so much fun, When the CPU
Now the CPU won't run Can print nothing out but "foo,"
And the system is going to crash. The system is going to crash.
-- To the tune of "As the Caissons go Rolling Along"