TR-91 - Vulnerability identified as CVE-2024-0012, affecting Palo Alto Networks PAN-OS software

An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges. This allows the attacker to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474.

The risk is greatly reduced if access to the management web interface is restricted to trusted internal IP addresses, adhering to best practice deployment guidelines.

This issue impacts PAN-OS versions 10.2, 11.0, 11.1, and 11.2. Cloud NGFW and Prisma Access are not affected.

Impact

• CAPEC ID: CAPEC-115
• CAPEC Description: Authentication Bypass

Exploitation

Palo Alto Networks observed threat activity exploiting this vulnerability against exposed management web interfaces.

Problem Type

• CWE ID: CWE-306
• CWE Description: Missing Authentication for Critical Function

Affected Systems

Palo Alto Networks Products

• Cloud NGFW: Not Affected, All versions unaffected.
• PAN-OS:
  • Affected Versions:
  • 10.2.0 versions up to but not including 10.2.12-h2
  • 11.0.0 versions up to but not including 11.0.6-h1
  • 11.1.0 versions up to but not including 11.1.5-h1
  • 11.2.0 versions up to but not including 11.2.4-h1
  • Unaffected Versions: 10.1.0 and all versions that include the fix. (See solution section)
• Prisma Access: Not Affected, All versions unaffected.

Mitigation and Solutions

Workarounds

The primary mitigation is to restrict access to the management interface to only trusted internal IP addresses. Review these resources for more information: * Palo Alto Networks LIVEcommunity article: https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 * Palo Alto Networks official documentation: https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices

If you have a Threat Prevention subscription, you can block attacks using Threat IDs 95746, 95747, 95752, 95753, 95759, and 95763 (Applications and Threats content version 8915-9075 or later).

Solutions

The issue is fixed in: * PAN-OS 10.2.12-h2 * PAN-OS 11.0.6-h1 * PAN-OS 11.1.5-h1 * PAN-OS 11.2.4-h1 * All later PAN-OS versions

Additional fixes are available for other commonly deployed maintenance releases, including: * PAN-OS 11.2: 11.2.0-h1, 11.2.1-h1, 11.2.2-h2, 11.2.3-h3 * PAN-OS 11.1: 11.1.0-h4, 11.1.1-h2, 11.1.2-h15, 11.1.3-h11, 11.1.4-h7 * PAN-OS 11.0: 11.0.0-h4, 11.0.1-h5, 11.0.2-h5, 11.0.3-h13, 11.0.4-h6, 11.0.5-h2 * PAN-OS 10.2: 10.2.0-h4, 10.2.1-h3, 10.2.2-h6, 10.2.3-h14, 10.2.4-h32, 10.2.5-h9, 10.2.6-h6, 10.2.7-h18, 10.2.8-h15, 10.2.9-h16, 10.2.10-h9, 10.2.11-h6

CVSS Metrics

CVSS v4.0 (Highest Risk Scenario)

• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:N/SA:N/AU:N/R:U/V:C/RE:H/U:Red
• Base Score: 9.3
• Base Severity: CRITICAL
• Scenario: The risk is highest when you allow access to the management interface from external IP addresses on the internet.

CVSS v4.0 (Restricted Access Scenario)

• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/AU:N/R:U/V:C/RE:H/U:Red
• Base Score: 5.9
• Base Severity: MEDIUM
• Scenario: If you configure restricted access to a jump box that is the only system allowed to access the management interface, you greatly reduce the risk of exploitation because attacks would require privileged access using only those IP addresses.

Credits

• Palo Alto Networks thanks our Deep Product Security Research Team for discovering this issue internally from threat activity.

References

• CVE-2024-0012 and CVE-2024-9474
• Palo Alto - Privilege Escalation (PE) Vulnerability in the Web Management Interface versus : Authentication Bypass in the Management Web Interface
• Palo Alto Networks Advisory
• WatchTowr Labs Analysis
• Unit 42 Analysis

Timeline

• 2024-11-18T14:20:00.000Z: CVE-2024-0012 assigned, vulnerability identified and fixed.
• 2024-11-15T22:00:00.000Z: FAQ about indicators of compromise answered.
• 2024-11-14T22:18:00.000Z: Severity of PAN-SA-2024-0015 bulletin raised due to observed threat activity.
• 2024-11-11T01:03:00.000Z: Added instructions to find devices with an internet-facing management interface discovered in scans.
• 2024-11-08T13:00:00.000Z: Initially published as PAN-SA-2024-0015.

Additional Information

Configuration Notes

The risk is highest if the management interface is configured to enable access from the internet or untrusted networks either: * Directly or, * Through a data plane interface that includes a management interface profile

The risk is greatly reduced by limiting access to the management interface to only trusted internal IP addresses.

Use the following steps to identify recently detected devices:

1. Visit the Assets section of Customer Support Portal at https://support.paloaltonetworks.com (Products → Assets → All Assets → Remediation Required).
2. Devices with an internet-facing management interface discovered in scans are tagged with PAN-SA-2024-0015. A last seen timestamp is shown in UTC. If no such devices are listed, scans did not find any devices with an internet-facing management interface within the last three days.

CISA ADP Information

• CISA Known Exploited Vulnerabilities (KEV):
  • Date Added: 2024-11-18
  • Reference: https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2024-0012
• SSVC Metrics:
  • Timestamp: 2024-11-19T04:55:47.202753Z
  • ID: CVE-2024-0012
  • Options: Exploitation: active, Automatable: yes, Technical Impact: total
  • Role: CISA Coordinator
  • Version: 2.0.3

NVD Information

• NVD Description: An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474. The risk of this issue is greatly reduced if you secure access to the management web interface by restricting access to only trusted internal IP addresses according to our recommended best practice deployment guidelines. This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, PAN-OS 11.1, and PAN-OS 11.2 software. Cloud NGFW and Prisma Access are not impacted by this vulnerability.

• NVD CVSS v3.1 Metrics:

  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Base Score: 9.8
  • Base Severity: CRITICAL

Linked CSAF Documents

• CISA:
• ICSA-24-338-02 - Siemens RUGGEDCOM APE1808 devices
• NCSC-NL:
• ncsc-2024-0451 - Kwetsbaarheden verholpen in Palo Alto PAN-OS

GitHub Advisory

• GHSA-mw9x-2qwv-599p

Vulnerability Lookup Bundles

• Palo Alto - Privilege Escalation (PE) Vulnerability in the Web Management Interface versus : Authentication Bypass in the Management Web Interface
  • Description: This bundle highlights the relationship between CVE-2024-0012 and CVE-2024-9474. It notes they are often used in a chain to gain superuser access to PAN-OS systems
  • Related Vulnerabilities: CVE-2024-0012, CVE-2024-9474

Vulnerability Sightings

The vulnerability has been observed and discussed in various sources, including:

• Infosec.exchange user posts (multiple)
• Projectdiscovery Nuclei Template
• MISP Instance (MISP/3c19819c-1dac-4ef2-bfed-be5efa7e0123)
• Feedsin.space (https://feedsin.space/feed/CISAKevBot/items/2704493)
• Mastodon posts (multiple)

Classification of this document

TLP:CLEAR information may be distributed without restriction, subject to copyright controls.

Revision

• Version 1.0 - TLP:CLEAR - First version - 20th December 2024