PAN-OS Firewalls from Palo Alto Networks have been hit by two zero-day vulnerabilities. They are now being actively abused by hackers. Palo Alto advises administrators not to give their management interfaces for these firewalls access to the internal corporate network.
Palo Alto Networks indicates that hackers are currently exploiting two zero-day vulnerabilities. These apply to its PAN-OS-based firewalls.
First, this involves CVE-2024-0012 that causes an authentication bypass. More specifically, the problem occurs in the PAN-OS management Web interface. Hackers can exploit this vulnerability to gain admin privileges.
The second known zero-day vulnerability, CVE-2024-9474, causes privilege escalation within firewalls, allowing hackers with root privileges to execute commands on the attacked firewall.
Palo Alto Networks is now investigating the vulnerabilities and is warning customers that both vulnerabilities are already being exploited at this time. The vulnerabilities would attack a “limited” number of Web interfaces and by now hackers would install malware. Possibly a so-called “chain exploit” is already available. A single patch will therefore not guarantee any safety. The monitoring of one’s environments for persistent threats is needed.
2,700 potentially vulnerable firewalls
The hackers reportedly have been active since Nov. 18 from IP addresses known for proxy/tunnel traffic from anonymous VPN services. Unit 42 of Palo Alto Networks assumes that a functional exploit for both vulnerabilities is now publicly available, so more malicious actions can be expected.
Customers can update to the latest versions of PAN-OS for a fix. In addition, the security specialist urges administrators to restrict access to internal corporate networks for their PAN-OS Web interfaces.
ShadowServer is now monitoring 2,700 PAN-OS firewalls susceptible to these vulnerabilities.
Previous vulnerabilities
The PAN-OS firewall vulnerabilities now disclosed are not the first that Palo Alto Networks has had to deal with this year. Early this month, a warning was issued about the CVE-2024-5910 authentication vulnerability for the Palo Alto Networks Expedition firewall configuration migration tool.
In July this year, a flaw was patched that could be exploited to reset admin login credentials for online PAN Expedition servers.
In April 2024, another patch was released for the critical and actively exploited vulnerability CVE-2024-3400 for PAN-OS firewalls. This vulnerability affected more than 82,000 firewalls.
Also read: Palo Alto Networks: defending against machines, with machines