iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Patches come days after Palo Alto Networks first learnt of active exploitation in the wild.
Palo Alto Networks has patched a pair of zero-day vulnerabilities in its PAN-OS management web interface used in its Next-Generation Firewalls.
The patches were released this week after Palo Alto Networks first revealed on 8 November that it had heard rumours of a new vulnerability impacting its firewalls.
Then, on 14 November, Palo Alto Networks updated its advisory to add that it had “observed threat activity exploiting an unauthenticated remote command execution vulnerability against a limited number of firewall management interfaces which are exposed to the internet”.
The vulnerabilities became official on 18 November, when two CVEs were assigned – CVE-2024-0012 and CVE-2024-9474.
CVE-2024-0012 is an authentication bypass vulnerability that could allow an unauthenticated attacker with unrestricted access to the web interface to gain admin-level privileges.
CVE-2024-9474 is a privilege escalation vulnerability, and when taken together, the two bugs could cause serious trouble.
“The two vulnerabilities can be chained by adversaries to bypass authentication on exposed management interfaces and escalate privileges,” researchers at Rapid7 said in a blog post last updated on 18 November.
“While neither advisory explicitly indicates that the impact of chaining the two vulnerabilities is fully unauthenticated remote code execution as root, it seems likely from the description of the issues and the inclusion of a web shell (payload) in IOCs that adversaries may be able to achieve [remote code execution].”
According to Palo Alto Networks, the zero-day vulnerabilities affected only a “very small number” of its firewalls and were only possible on web interfaces with unrestricted access.
“Palo Alto Networks has identified threat activity targeting a limited number of device management web interfaces. This activity has primarily originated from IP addresses known to proxy/tunnel traffic for anonymous VPN services,” Palo Alto Networks said in an 18 November blog post by its Unit42 research team.
“Palo Alto Networks is still actively investigating and remediating this activity. Observed post-exploitation activity includes interactive command execution and dropping malware, such as webshells, on the firewall.”
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
