CVE-2024–0012 PAN-OS: Authentication Bypass in the Management Web Interface
Need Help?
The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.
Website: https://www.socfortress.co/
Contact Us: https://www.socfortress.co/contact_form.html
Intro
An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024–9474.
The risk of this issue is greatly reduced if you secure access to the management web interface by restricting access to only trusted internal IP addresses according to our recommended best practice deployment guidelines.
This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, PAN-OS 11.1, and PAN-OS 11.2 software. Cloud NGFW and Prisma Access are not impacted by this vulnerability.
Palo Alto Networks observed threat activity that exploits this vulnerability against a limited number of management web interfaces that are exposed to internet traffic coming from outside the network.
Reference: https://security.paloaltonetworks.com/CVE-2024-0012
Product status
Workarounds and Mitigations
Recommended mitigation — The vast majority of firewalls already follow Palo Alto Networks and industry best practices. However, if you haven’t already, we strongly recommend that you secure access to your management interface according to our best practice deployment guidelines. Specifically, you should restrict access to the management interface to only trusted internal IP addresses to prevent external access from the internet.
Indicators of Compromise
Threat actor IPs identified attempting to scan and/or connect to management web interfaces in order to exploit CVE-2024–0012
Many of these IPs have been known to proxy / tunnel traffic for anonymous VPN services, which may include legitimate user activity originating from these IPs to other destinations.
Threat Actor IPs:
91.208.197[.]167
136.144.17[.]146
136.144.17[.]149
136.144.17[.]154
136.144.17[.]161
136.144.17[.]164
136.144.17[.]166
136.144.17[.]167
136.144.17[.]170
136.144.17[.]176
136.144.17[.]177
136.144.17[.]178
136.144.17[.]180
173.239.218[.]251
209.200.246[.]173
209.200.246[.]184
216.73.162[.]69
216.73.162[.]71
216.73.162[.]73
216.73.162[.]74
Detection
If use SOCFortress SIEM stack, MGMT authentications can be identified by
log_subtype = auth
And the auth event provides information about the SRC IP
authenticated for user 'admin'. From: xx.xx.xx.xx
Need Help?
The functionality discussed in this post, and so much more, are available via the SOCFortress platform. Let SOCFortress help you and your team keep your infrastructure secure.
Website: https://www.socfortress.co/
Contact Us: https://www.socfortress.co/contact_form.html