Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

CVE-2024-0012, CVE-2024-9474: Zero-Day Vulnerabilities in Palo Alto PAN-OS Exploited In The Wild

A blue gradient background. The Tenable Research Logo is at the top center of the image. Underneath it is a rectangular shaped box with the word "ADVISORY" in it. Underneath this box are the words "ZERO-DAY VULNERABILITIES EXPLOITED." This blog is about two zero-days in Palo Alto Networks PAN-OS that were exploited in the wild.

Palo Alto Networks confirmed two zero-day vulnerabilities were exploited as part of attacks in the wild against PAN-OS devices, with one being attributed to Operation Lunar Peek.

Update November 19: The blog has been updated with a link to new technical analysis that could aid in the creation of a proof-of-concept, as well as guidance for identifying PAN-OS devices using Tenable Attack Surface Management.

View Change Log

Background

On November 18, Palo Alto Networks updated its advisory (PAN-SA-2024-0015) for a critical flaw in its PAN-OS software to include a CVE identifier:

CVEDescriptionCVSS
CVE-2024-0012PAN-OS Authentication Bypass Vulnerability9.3

In addition to CVE-2024-0012, Palo Alto Networks assigned a second CVE for a privilege escalation vulnerability (CVE-2024-9474).

CVEDescriptionCVSS
CVE-2024-9474PAN-OS Privilege Escalation Vulnerability6.9

Analysis

CVE-2024-0012 is an authentication bypass vulnerability in the management web interface of PAN-OS devices. An unauthenticated, remote attacker could exploit this vulnerability to obtain administrator privileges on the vulnerable PAN-OS device, enabling follow-on activity including modifying device configuration, accessing other administrative functions as well as exploiting other vulnerabilities, such as CVE-2024-9474.

CVE-2024-9474 is a privilege escalation vulnerability in the web management interface of PAN-OS devices. An authenticated, remote attacker could exploit this vulnerability to gain root privileges on the firewall.

While not explicitly referenced in its advisory, based on the description, it is believed that CVE-2024-0012 and CVE-2024-9474 may have been used as part of an exploit chain.

Attributed to Operation Lunar Peek

In a threat brief about the vulnerabilities, Palo Alto Networks’ Unit 42 have attributed the exploitation of CVE-2024-0012 to a campaign they call Operation Lunar Peek. As of November 18, no specific details have yet to be shared about Operation Lunar Peek or attribution to a specific threat actor or country of origin.

While Unit 42 did not explicitly connect CVE-2024-9474 to this operation, they reference this flaw as part of follow-on activity and have stated they’ve “observed threat activity that exploits this vulnerability against a limited number of management web interfaces.”

Initial advisory published on November 8

PAN-SA-2024-0015 was first published on November 8, following reports of a zero-day vulnerability affecting the management interfaces of PAN-OS devices. Reports indicate that someone was selling access to a zero-day in PAN-OS. It wasn’t until November 14 that Palo Alto Networks confirmed “threat activity” associated with this zero-day.

Proof of concept

At the time this blog post was published, there was no proof-of-concept (PoC) available for this vulnerability. However, on November 19, researchers at watchTowr published a blog post outlining their research into both CVE-2024-0012 and CVE-2024-9474, including technical details which may aid in the construction of a PoC. The researchers are withholding a public PoC for at least one week.

Solution

The following table contains a list of affected and fixed versions of PAN-OS:

ProductCVE-2024-0012CVE-2024-9474Fixed Version
PAN-OS 10.1Not Affected10.1.14-h4 and below10.1.14-h6 and above
PAN-OS 10.210.2.12-h1 and below10.2.12-h1 and below10.2.12-h2 and above
PAN-OS 11.011.0.5-h2 and below11.0.5-h2 and below11.0.6-h1 and above
PAN-OS 11.111.1.4-h7 and below11.1.4-h7 and below11.1.5-h1 and above
PAN-OS 11.211.2.3-h3 and below11.2.3-h3 and below11.2.4-h1 and above
Cloud NGFWNot AffectedNot Affected-
Prsima AccessNot AffectedNot Affected-

Equally as important as applying patches, organizations that utilize PAN-OS devices should secure the management web interface to prevent external access, opting instead to limit access to trusted internal IP addresses. For more information, please refer to Palo Alto’s guide, Tips & Tricks: How to Secure the Management Access of Your Palo Alto Networks Device.

Identifying affected systems

A list of Tenable plugins for this vulnerability can be found on the individual CVE pages for CVE-2024-0012 and CVE-2024-9474 as they’re released. These links will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.

Additionally, customers can utilize Tenable Attack Surface Management to identify PAN-OS devices.

 

Get more information

Change Log

Update November 19: The blog has been updated with a link to new technical analysis that could aid in the creation of a proof-of-concept, as well as guidance for identifying PAN-OS devices using Tenable Attack Surface Management.

Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.