Palo Alto Networks Management Interface Attack

PAN-OS vulnerabilities actively exploited

https://unit42.paloaltonetworks.com/cve-2024-0012-cve-2024-9474/
CVEs: CVE-2024-0012,CVE-2024-9474

Palo Alto Networks has recently disclosed two zero-day vulnerabilities, CVE-2024-0012 and CVE-2024-9474, affecting the PAN-OS firewall and
other products. Both flaws, which are actively being exploited in the wild, affect the Management Web Interface. Successful exploitations allows
attackers to bypass authentication and gain administrator-level access without any user interaction.

Background Palo Alto Networks PAN-OS Management Interface OS Command Injection Vulnerability (CVE-2024-9474) is an
OS command injection vulnerability that allows for privilege escalation through the web-based management
interface for several PAN products, including firewalls and VPN concentrators.

Palo Alto Networks PAN-OS Management Interface Authentication Bypass Vulnerability (CVE-2024-0012) is an
authentication bypass vulnerability in the web-based management interface for several PAN-OS products,
including firewalls and VPN concentrators.

Latest Developments Fortinet customers remain protected through the Intrusion Prevention Service (IPS) and additionally has blocked
all the related known IOCs. FortiGuard Labs advises organizations to apply the latest security updates to fully
mitigate any risks. Fixes for both vulnerabilities are available. Please refer to the Palo Alto Networks Security
Advisories listed below.

November 21, 2024: Shadowserver reported approximately 2,000 have been compromised since the start of this
ongoing campaign.
https://bsky.app/profile/shadowserver.bsky.social/post/3lbh6k7p7pc27

November 18, 2024: CISA Added both the vulnerabilites to Known Exploited Vulnerabilities Catalog (KEV.)
https://www.cisa.gov/known-exploited-vulnerabilities-catalog

November 18, 2024: Palo Alto Networks published PAN-OS Management Interface OS Command Injection
Vulnerability (CVE-2024-9474).
https://security.paloaltonetworks.com/CVE-2024-9474

November 8, 2024: Palo Alto Networks published Authentication Bypass in the Management Web Interface (CVE-
2024-0012).
https://security.paloaltonetworks.com/CVE-2024-0012

PROTECT
Countermeasures across the security fabric for protecting assets, data and network from cybersecurity
events:

Reconnaissance

Weaponization

Delivery

Exploitation

IPS

Detects and blocks attack attempts leveraging the vulnerability

FortiADC FortiGate FortiNDR FortiProxy FortiSASE

DB 29.908 DB 29.908 DB 29.908 DB 29.908 DB 29.908

Installation

Web & DNS Filter

FortiGate

C2

Botnet C&C

FortiGate

Action

DETECT
Find and correlate important information to identify an outbreak, the following updates are available to raise
alert and generate reports:

IOC

FortiAnalyzer FortiSOCaaS FortiSIEM FortiSOAR

Outbreak Detection

FortiAnalyzer FortiSOAR

DB 2.00062 DB 1.0

Threat Hunting

FortiAnalyzer

Cloud Threat Detection

Fcnapplacewo
rk

RESPOND
Develop containment techniques to mitigate impacts of security events:

Automated Response

Services that can automaticlly respond to this outbreak.

FortiXDR

Assisted Response Services

Experts to assist you with analysis, containment and response activities.

Incident
Response

RECOVER
Improve security posture and processes by implementing security awareness and training, in preparation for
(and recovery from) security incidents:

NOC/SOC Training

Train your network and security professionals and optimize your incident response to stay on top of the
cyberattacks.

Response
NSE Training
Readiness

End-User Training

Raise security awareness to your employees that are continuously being targeted by phishing, drive-by download
and other forms of cyberattacks.

Security
Awareness &
Training

IDENTIFY
Identify processes and assets that need protection:

Attack Surface Hardening

Check Security Fabric devices to build actionable configuration recommendations and key indicators.

Security
Rating

Additional Resources
SOC Radar https://socradar.io/exploited-pan-os-zero-days-threaten-firewalls/

Unit 42 Threat Brief https://unit42.paloaltonetworks.com/cve-2024-0012-cve-2024-9474/

Learn more about FortiGuard Outbreak Alerts