Vulnerabilities in Palo Alto PAN-OS

Vulnerability

November 19, 2024

This Multi-State Information Sharing and Analysis Center (MS-ISAC) Advisory is being provided to assist agencies and organizations in guarding against the persistent malicious actions of cybercriminals.

Multiple vulnerabilities have been discovered in Palo Alto PAN-OS, the most severe of which could allow for authentication bypass. PAN-OS is the software that runs all Palo Alto Networks next-generation firewalls. Successful exploitation could allow for authentication bypass with administrator privileges. An attacker could then install programs; view, change, or delete data. CVE-2024-0012 is classified as 9.3 critical severity with highest urgency for mitigation, while CVE-2024-9474 is classified as 6.9 medium severity with highest urgency for mitigation.

Threat Intelligence

Palo Alto Networks has identified threat activity targeting a limited number of device management web interfaces. This activity has primarily originated from IP addresses known to proxy/tunnel traffic for anonymous VPN services.
Systems Affected
  • PAN-OS 11.2 < 11.2.4-h1
  • PAN-OS 11.1 < 11.1.5-h1
  • PAN-OS 11.0 < 11.0.6-h1
  • PAN-OS 10.2 < 10.2.12-h2
  • PAN-OS 10.1 < 10.1.14-h6
Risk
Government:
– Large and medium government entities: High
– Small government entities: Medium
Businesses:
– Large and medium business entities: High
– Small business entities: Medium
Home Users: Low
Recommendations
  • Apply appropriate updates to vulnerable systems immediately after appropriate testing.
  • Apply the Principle of Least Privilege to all systems and services. Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.
  • Vulnerability scanning is used to find potentially exploitable software vulnerabilities to remediate them.
  • Architect sections of the network to isolate critical systems, functions, or resources. Use physical and logical segmentation to prevent access to potentially sensitive systems and information. Use a DMZ to contain any internet-facing services that should not be exposed from the internal network. Configure separate virtual private cloud (VPC) instances to isolate critical cloud systems.
  • Use capabilities to detect and block conditions that may lead to or be indicative of a software exploit occurring.
CVE:
Reporting
The NJCCIC encourages recipients who discover signs of malicious cyber activity to contact the NJCCIC via the cyber incident report form at www.cyber.nj.gov/report.
Please do not hesitate to contact the NJCCIC at njccic@cyber.nj.gov with any questions.  Also, for more background on our recent cybersecurity efforts, please visit cyber.nj.gov.