CVE-2024-0012 PAN-OS: Authentication Bypass in the Management Web Interface (PAN-SA-2024-0015)
Description
An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474.
The risk of this issue is greatly reduced if you secure access to the management web interface by restricting access to only trusted internal IP addresses according to our recommended best practice deployment guidelines.
This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, PAN-OS 11.1, and PAN-OS 11.2 software on PA-Series, VM-Series, and CN-Series firewalls and on Panorama (virtual and M-Series).
Cloud NGFW and Prisma Access are not impacted by this vulnerability.
Product Status
Versions | Affected | Unaffected |
---|---|---|
Cloud NGFW | None | All |
PAN-OS 11.2 | < 11.2.1-h1 < 11.2.2-h2 < 11.2.3-h3 < 11.2.4-h1 | >= 11.2.1-h1 >= 11.2.2-h2 >= 11.2.3-h3 >= 11.2.4-h1 |
PAN-OS 11.1 | < 11.1.0-h4 < 11.1.1-h2 < 11.1.2-h15 < 11.1.3-h11 < 11.1.4-h7 < 11.1.5-h1 | >= 11.1.0-h4 >= 11.1.1-h2 >= 11.1.2-h15 >= 11.1.3-h11 >= 11.1.4-h7 >= 11.1.5-h1 |
PAN-OS 11.0 | < 11.0.0-h4 < 11.0.1-h5 < 11.0.2-h5 < 11.0.3-h13 < 11.0.4-h6 < 11.0.5-h2 < 11.0.6-h1 | >= 11.0.0-h4 >= 11.0.1-h5 >= 11.0.2-h5 >= 11.0.3-h13 >= 11.0.4-h6 >= 11.0.5-h2 >= 11.0.6-h1 |
PAN-OS 10.2 | < 10.2.0-h4 < 10.2.1-h3 < 10.2.2-h6 < 10.2.3-h14 < 10.2.4-h32 < 10.2.5-h9 < 10.2.6-h6 < 10.2.7-h18 < 10.2.8-h15 < 10.2.9-h16 < 10.2.10-h9 < 10.2.11-h6 < 10.2.12-h2 < 10.2.12-h2 | >= 10.2.0-h4 >= 10.2.1-h3 >= 10.2.2-h6 >= 10.2.3-h14 >= 10.2.4-h32 >= 10.2.5-h9 >= 10.2.6-h6 >= 10.2.7-h18 >= 10.2.8-h15 >= 10.2.9-h16 >= 10.2.10-h9 >= 10.2.11-h6 >= 10.2.12-h2 >= 10.2.12-h2 |
PAN-OS 10.1 | None | All |
Prisma Access | None | All |
See the Solution section for additional fixes to commonly deployed maintenance releases.
Required Configuration for Exposure
The risk is greatest if you configure the management interface to enable access from the internet or any untrusted network either:
- Directly
or - Through a dataplane interface that includes a management interface profile.
The risk is greatly reduced if you make sure that only trusted internal IP addresses are allowed to access the management interface.
Use the following steps to identify your recently detected devices in our Internet scans:
- To find your known assets that require remediation action, visit the Assets section of Customer Support Portal at https://support.paloaltonetworks.com (Products → Assets → All Assets → Remediation Required).
- The list of your known devices with an internet-facing management interface discovered in our scans are tagged with PAN-SA-2024-0015 with a last seen timestamp in UTC. If no such devices are listed, it indicates our scan did not find any devices with internet-facing management interface for your account in the last three days.
Severity: CRITICAL, Suggested Urgency: HIGHEST
The risk is highest when you allow access to the management interface from external IP addresses on the internet.
CVSS-BT:
9.3 /
CVSS-B:
9.3 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:N/SA:N/E:A/AU:N/R:U/V:C/RE:H/U:Red)
If you configure restricted access to a jump box that is the only system allowed to access the management interface, you greatly reduce the risk of exploitation because attacks would require privileged access using only those IP addresses.
CVSS-BT:
5.9 /
CVSS-B:
5.9 (CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:A/AU:N/R:U/V:C/RE:H/U:Red)
Exploitation Status
Palo Alto Networks is aware of an increasing number of attacks that leverage the exploitation of this vulnerability. Proof of concepts for this vulnerability have been publicly disclosed by third parties.
Weakness Type and Impact
CWE-306 Missing Authentication for Critical Function
CAPEC-115 Authentication Bypass
Solution
We strongly recommend that you secure access to your management interface following the instructions in the workarounds section below.
This issue is fixed in PAN-OS 10.2.12-h2, PAN-OS 11.0.6-h1, PAN-OS 11.1.5-h1, PAN-OS 11.2.4-h1, and all later PAN-OS versions.
In addition, in an attempt to provide the most seamless upgrade path for our customers, we are making fixes available for other TAC-preferred and commonly deployed maintenance releases.
- Additional PAN-OS 11.2 fixes:
- 11.2.0-h1
- 11.2.1-h1
- 11.2.2-h2
- 11.2.3-h3
- 11.2.4-h1
- Additional PAN-OS 11.1 fixes:
- 11.1.0-h4
- 11.1.1-h2
- 11.1.2-h15
- 11.1.3-h11
- 11.1.4-h7
- 11.1.5-h1
- Additional PAN-OS 11.0 fixes:
- 11.0.0-h4
- 11.0.1-h5
- 11.0.2-h5
- 11.0.3-h13
- 11.0.4-h6
- 11.0.5-h2
- 11.0.6-h1
- Additional PAN-OS 10.2 fixes:
- 10.2.0-h4
- 10.2.1-h3
- 10.2.2-h6
- 10.2.3-h14
- 10.2.4-h32
- 10.2.5-h9
- 10.2.6-h6
- 10.2.7-h18
- 10.2.8-h15
- 10.2.9-h16
- 10.2.10-h9
- 10.2.11-h6
- 10.2.12-h2
Workarounds and Mitigations
Recommended mitigation—The vast majority of firewalls already follow Palo Alto Networks and industry best practices. However, if you haven’t already, we strongly recommend that you secure access to your management interface according to our best practice deployment guidelines. Specifically, you should restrict access to the management interface to only trusted internal IP addresses to prevent external access from the internet.
Additionally, if you have a Threat Prevention subscription, you can block these attacks using Threat IDs 95746, 95747, 95752, 95753, 95759, and 95763 (available in Applications and Threats content version 8915-9075 and later). For these Threat IDs to protect against attacks for this vulnerability,
- Ensure that all the listed Threat IDs are set to block mode,
- Route incoming traffic for the MGT port through a DP port, e.g., enabling management profile on a DP interface for management access,
- Replace the Certificate for Inbound Traffic Management,
- Decrypt inbound traffic to the management interface so the firewall can inspect it, and
- Enable threat prevention on the inbound traffic to management services.
- Palo Alto Networks LIVEcommunity article: https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431
- Palo Alto Networks official and more detailed technical documentation: https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices
Acknowledgments
Frequently Asked Questions
Q. Are there any IoCs associated with threat activity?
Please refer to the Unit42 Threat Brief (https://unit42.paloaltonetworks.com/cve-2024-0012-cve-2024-9474/) for the latest information.
Q. Are there any checks I can run on my device to look for evidence of attempted exploitation activity?
If your management web interface was exposed to the internet, then we advise you to closely monitor your network for suspicious threat activity, such as unrecognized configuration changes or suspicious users.
We are scanning Telemetry data and customer uploaded tech support files (TSF) for evidence of threat activity and updating the case notes accordingly.
Q. Can I use Xpanse and XSIAM to identify PAN-OS management interfaces?
Cortex Xpanse and Cortex XSIAM customers with the ASM module can investigate internet-exposed instances by reviewing alerts generated by the Palo Alto Networks Firewall Admin Login attack surface rule.
Q. If our firewall management interface has always been deployed according to best practices, do I need to take any action?
We recommend applying the available fixes. Until then, follow the guidance in the Workarounds and Mitigations section.
Q. What do you recommend if exploitation was observed on my device?
Please take your device offline from the internet and contact Global Customer Support to do an Enhanced Factory Reset (EFR) on your device.
The following Knowledge Base Article outlines the steps to remediate your device using EFR: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000CrO6CAK
Q. How did you identify that my firewall had an internet-facing management interface?
Palo Alto Networks detects public-facing customer NGFW internet management interfaces through routine, nonintrusive internet scanning. We analyze these results using proprietary indicators to attribute device attributes (such as firewall model) with a high degree of accuracy. Based on detected IP addresses, we are able to associate an internet-exposed firewall with the appropriate customer by cross-referencing the IP address to the serial number stored in our internal records.
We listed the firewalls that were discovered in this way since November 9 in the Remediation Required list under the Assets section of the Customer Support Portal (Products → Assets → All Assets → Remediation Required). This list may not be complete, so make sure to verify that all of your firewalls are properly configured.
Q. Are GlobalProtect Portals and Gateways vulnerable to this issue?
GlobalProtect Portals and Gateways (typically accessible on port 443) are not vulnerable to this issue. However, if a management profile is configured on interfaces with GlobalProtect portals or gateways, then it exposes the device to attacks via the management web interface (typically accessible on port 4443) in such cases.
CPEs
cpe:2.3:o:paloaltonetworks:pan-os:11.2.4:-:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.2.3:h2:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.2.3:h1:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.2.3:-:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.2.2:h1:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.2.1:-:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.2.0:*:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.1.5:-:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h6:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h5:*:*:*:*:*:*