Open in app

Sign in

Write

Sign in

CVE-2024–0012 PAN-OS: Authentication Bypass in the Management Web Interface

SOCFortress
3 min readNov 19, 2024

--

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Contact Us: https://www.socfortress.co/contact_form.html

Intro

An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024–9474.

The risk of this issue is greatly reduced if you secure access to the management web interface by restricting access to only trusted internal IP addresses according to our recommended best practice deployment guidelines.

This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, PAN-OS 11.1, and PAN-OS 11.2 software. Cloud NGFW and Prisma Access are not impacted by this vulnerability.

Palo Alto Networks observed threat activity that exploits this vulnerability against a limited number of management web interfaces that are exposed to internet traffic coming from outside the network.

Reference: https://security.paloaltonetworks.com/CVE-2024-0012

Product status

Workarounds and Mitigations

Recommended mitigation — The vast majority of firewalls already follow Palo Alto Networks and industry best practices. However, if you haven’t already, we strongly recommend that you secure access to your management interface according to our best practice deployment guidelines. Specifically, you should restrict access to the management interface to only trusted internal IP addresses to prevent external access from the internet.

Indicators of Compromise

Threat actor IPs identified attempting to scan and/or connect to management web interfaces in order to exploit CVE-2024–0012

Many of these IPs have been known to proxy / tunnel traffic for anonymous VPN services, which may include legitimate user activity originating from these IPs to other destinations.

Threat Actor IPs:

91.208.197[.]167
136.144.17[.]146
136.144.17[.]149
136.144.17[.]154
136.144.17[.]161
136.144.17[.]164
136.144.17[.]166
136.144.17[.]167
136.144.17[.]170
136.144.17[.]176
136.144.17[.]177
136.144.17[.]178
136.144.17[.]180
173.239.218[.]251
209.200.246[.]173
209.200.246[.]184
216.73.162[.]69
216.73.162[.]71
216.73.162[.]73
216.73.162[.]74

Detection

If use SOCFortress SIEM stack, MGMT authentications can be identified by

log_subtype = auth

And the auth event provides information about the SRC IP

authenticated for user 'admin'. From: xx.xx.xx.xx

Need Help?

The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.

Website: https://www.socfortress.co/

Contact Us: https://www.socfortress.co/contact_form.html

Palo Alto
Vulnerability
Siem
Firewall
Network Security

--

--

SOCFortress
SOCFortress

Written by SOCFortress

3.8K Followers
2 Following

SOCFortress is a SaaS company that unifies Observability, Security Monitoring, Threat Intelligence and Security Orchestration, Automation, and Response (SOAR).

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams