Latest Palo Alto Networks vulnerabilities
Palo Alto Networks (PAN) released a security advisory with multiple vulnerabilities on PAN-OS firewalls that could lead to admin account takeover.
- CVE-2024-9463 is rated critical with CVSS score of 9.9, is an OS command injection vulnerability and potentially allows for and execution of OS commands as root.
- CVE-2024-9464 is rated critical with CVSS score of 9.3, is an OS command injection vulnerability and potentially allows for the execution of OS commands as root.
- CVE-2024-9465 is rated critical with CVSS score of 9.2, is a SQL injection vulnerability and potentially allows a remote unauthenticated attacker to read the contents of the Expedition database.
- CVE-2024-9466 is rated high with CVSS score of 8.2, and potentially allows for an authenticated user to read sensitive information including passwords and API keys.
- CVE-2024-9467 is rated high with CVSS score of 7.0, is an XSS vulnerability and potentially allows for execution of malicious JavaScript code that could result in session hijacking.
What is the impact?
If chained together through an exploit, a firewall running the vulnerable software could be completely taken over by an unauthenticated remote attacker. For more information, the team that disclosed the vulnerabilities to Palo Alto Networks, published a detailed analysis.
According to the vendor, there is no known malicious exploitation of vulnerable systems at this time.
Are updates or workarounds available?
According to Palo Alto Networks, “The fixes for all listed issues are available in Expedition 1.2.96, and all later Expedition versions.” They also recommended rotating all passwords and API keys after applying the latest patch to prevent future unauthorized access. Refer to the Workarounds and Mitigations section of the security advisory for information about potential workarounds and additional advice.
How to find potentially vulnerable PAN-OS systems with runZero
From the Asset Inventory you can use the following query to locate potentially vulnerable systems:
os:"PAN-OS"
CVE-2024-3400
Palo Alto Networks (PAN) disclosed that certain versions of their PAN-OS software has a vulnerability that allows for remote command injection.
CVE-2024-3400 is rated critical with CVSS score of 9.8 and indicates an unauthenticated attacker can execute arbitrary code with root privileges on the firewall. The vendor indicates that there is evidence of limited exploitation in the wild.
watchTowr has posted a detailed analysis including the details needed for exploitation. This analysis covers two separate vulnerabilities; an arbitrary file creation vulnerability in the session handler, and a shell metacharacter injection issue that leads to remote execution through the telemetry script. PAN has updated their guidance to state that “Disabling device telemetry is no longer an effective mitigation“.
What is the impact?
The following PAN-OS versions are affected by this vulnerability.
Version | Affected | Unaffected |
PAN-OS 11.1 | < 11.1.2-h3 | >= 11.1.2-h3 (hotfix ETA: By 4/14) |
PAN-OS 11.0 | < 11.0.4-h1 | >= 11.0.4-h1 (hotfix ETA: By 4/14) |
PAN-OS 10.2 | < 10.2.9-h1 | >= 10.2.9-h1 (hotfix ETA: By 4/14) |
Palo Alto Networks indicates that PAN-OS 11.1, 11.0, and 10.2 versions with the configurations for both GlobalProtect gateway and device telemetry enabled.
Customers may verify this by checking for entries in the firewall web interface (Network > GlobalProtect > Gateways) and verify whether device telemetry enabled by checking your firewall web interface (Device > Setup > Telemetry).
Are updates or workarounds available?
Palo Alto Networks recommends that customers with a Threat Prevention subscription can block attacks for this vulnerability by enabling Threat ID 95187 (introduced in Applications and Threats content version 8833-8682) and applying vulnerability protection to GlobalProtect interfaces.
It is also recommended that telemetry be disabled until devices can be upgraded to an unaffected version of PAN-OS.
How runZero users found potentially vulnerable PAN-OS systems
From the Asset Inventory, use the following query to locate systems running potentially vulnerable software:
os:"PAN-OS"About Version 2 Digital
Version 2 Digital is one of the most dynamic IT companies in Asia. The company distributes a wide range of IT products across various areas including cyber security, cloud, data protection, end points, infrastructures, system monitoring, storage, networking, business productivity and communication products.
Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, different vertical industries, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.
About runZero
runZero, a network discovery and asset inventory solution, was founded in 2018 by HD Moore, the creator of Metasploit. HD envisioned a modern active discovery solution that could find and identify everything on a network–without credentials. As a security researcher and penetration tester, he often employed benign ways to get information leaks and piece them together to build device profiles. Eventually, this work led him to leverage applied research and the discovery techniques developed for security and penetration testing to create runZero.
