Palo Alto Exploit Chain to Remote Code Execution

Fortra is actively researching new vulnerabilities in Palo Alto PAN-OS – CVE-2024-0012 and CVE-2024-9474. When combined, these two vulnerabilities allow for an exploit chain to achieve remote code execution. The first CVE allows an unauthenticated attacker with access to the web management interface to gain administrator privileges on the PAN-OS device, while the second CVE allows administrators to perform actions on the firewall with root privileges. 

Palo Alto has released fixed versions of PAN-OS to address these vulnerabilities, and customers are recommended to upgrade as soon as possible.

Who is affected?

The following versions of PAN-OS are affected by these vulnerabilities.

• 10.1
• 10.2
• 11.0
• 11.1
• 11.2

What can I do?

Palo Alto has released fixes to address these vulnerabilities. Customers should upgrade to one of the following fixed versions, based on their current version:

• For PAN-OS 10.1, upgrade to 10.1.14-h6 or higher
• For PAN-OS 10.2, upgrade to 10.2.12-h2 or higher
• For PAN-OS 11.0, upgrade to 11.0.6-h1 or higher
• For PAN-OS 11.1, upgrade to 11.1.5-h1 or higher
• For PAN-OS 11.2, upgrade to 11.2.4-h1 or higher

For more information about this vulnerability, refer to Palo Alto’s advisories for CVE-2024-0012 and CVE-2024-9474.

How is Fortra helping me?

Fortra is actively researching this threat to build detection capabilities in addition to those listed below.

Alert Logic Log Management: Alert Logic has deployed and is actively monitoring log telemetry related to known IOCs. 

Alert Logic Network IDS: Alert Logic released new IDS signatures to detect exploit attempts for this vulnerability and aid in further detection research.

Alert Logic Vulnerability Scanning: Alert Logic released authenticated scan coverage on November 21, 2024, to identify these vulnerabilities.

Core Impact: The exploit “Palo Alto Networks OS Remote Code Execution Exploit” was delivered to Core Impact customers on November 22, 2024 to address CVE-2024-9474 and CVE-2024-0012. This module exploits these two vulnerabilities to deploy an agent. The exploit performs the following steps:

• Sends a request containing a header parameter for authentication bypass (CVE-2024-0012) to inject a command within a "user" request body parameter (CVE-2024-9474) and receive an elevated user session ID in the response, whereby the injected command is written to a local session cache file.
• Sends a request with the elevated session ID to trigger evaluation of the injected local session cache file.
• Repeats the process with all the necessary commands to deploy an agent.

Tripwire IP360: Tripwire released scan coverage on November 27, 2024, to identify vulnerable instances. If the vulnerabilities are found, Tripwire vulnerability 679563 will match for CVE-2024-9474, and Tripwire vulnerability 679562 will match for CVE-2024-0012.

Updates

Fortra has kicked off the Emerging Threats process for this vulnerability. This article will be updated with new information about this vulnerability and related security coverage as it becomes available.

11/20/2024: Alert Logic released IDS signatures and log telemetry to aid in detecting exploit attempts. 

11/21/2024: Alert Logic released authenticated scan coverage to identify these vulnerabilities.

11/22/2024: Core Impact delivered a module to exploit CVE-2024-9474 and CVE-2024-0012.

11/27/2024: Tripwire IP360 released scan coverage to identify vulnerable instances. 

12/04/2024: Alert Logic released new IDS signatures to detect exploit attempts for this vulnerability.