2 Palo Alto Networks zero-day vulnerabilities under attack

CVE-2024-9474 marks the second zero-day vulnerability in Palo Alto Networks' PAN-OS firewall management interface to come under attack in the last week.

Palo Alto Networks warned that attackers are now exploiting two zero-day vulnerabilities in its firewall management interfaces that could let threat actors gain highly privileged access.

Last week, Palo Alto Networks disclosed that an unauthenticated remote command execution zero-day vulnerability it tracked as PAN-SA-2024-0015 was under attack. At the time, the vulnerability, which affects PAN-OS firewall software, remained unpatched and was not assigned a CVE.

The threat has escalated this week. In research published on Monday, Palo Alto Networks' Unit 42 detailed an investigation into ongoing attacks against two zero-day vulnerabilities in the vendor's web management interface. The first is PAN-SA-2024-0015, now tracked as CVE-2024-0012, and the second is a privilege escalation vulnerability tracked as CVE-2024-9474.

The security vendor said it is tracking threat activity related to CVE-2024-0012 under the name "Operation Lunar Peek." So far, Palo Alto said exploitation has been limited, and patches have been released for both flaws.

"An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474," Unit 42 wrote in the research post. "Risk of this issue is greatly reduced if you secure access to the management web interface by restricting access to only trusted internal IP addresses according to our recommended best practice deployment guidelines."

Multiple organizations have confirmed exploitation activity. CISA added both flaws to its Known Exploited Vulnerabilities catalog on Monday, giving federal agencies a deadline of Dec. 9 to apply fixes. Additionally, The Shadowserver Foundation, a cybersecurity nonprofit organization, said it has observed more than 6,000 exploitation attempts against Palo Alto's PAN-OS management interface since Monday.

UPDATE: On Thursday, the ShadowServer Foundation provided an update on Mastodon that revealed 2,000 PAN-OS Management Interfaces have been compromised through exploitation of CVE-2024-0012 and CVE-2024-9474. The cybersecurity organization collaborated with the Saudi National Cybersecurity Authority to obtain information about the exploitation activity. Scans showed compromises primarily affected Palo Alto Network devices located in the U.S. and India.

Cybersecurity vendor WatchTowr published a blog post Tuesday that detailed the two zero-day vulnerabilities. WatchTowr Labs researchers highlighted how popular SSL VPN flaws are among attackers. For example, earlier this year, attackers exploited another critical zero-day vulnerability in Palo Alto Networks' PAN-OS software, tracked as CVE-2024-3400.

WatchTowr's blog post added that these types of flaws are easy for attackers to exploit "once you know how." Researchers expanded on the timeline and said they've been hearing rumors related to CVE-2024-0012 over the past few weeks. Palo Alto Networks initially published an advisory for PAN-SA-2024-0015 on Nov. 8, saying it was aware of reports about a remote code execution vulnerability via the PAN-OS management interface, but had not confirmed the existence of the flaw at that time.

"Kudos to Palo Alto for warning its customers of a potential bug before confirming it, and releasing patches as soon as possible. The general security posture of the device is such that mitigations were in place to restrict access to the management interface via a strict ruleset of IP whitelisting," WatchTowr Labs researchers wrote.

On the other hand, WatchTowr also criticized Palo Alto Networks for the flaws themselves. "It's amazing that these two bugs got into a production appliance, amazingly allowed via the hacked-together mass of shell script invocations that lurk under the hood of a Palo Alto appliance," the blog post said.

While Unit 42's research post did not specify that CVE-2024-0012 and CVE-2024-9474 were exploited as part of an exploit chain, WatchTowr said it was strongly suggested. WatchTowr researchers said they are holding off on releasing a proof-of-concept exploit to give organizations time to patch.

Like WatchTowr, Tenable also said Unit 42's description implies that attackers are chaining the two zero-day vulnerabilities. The security company published a blog post Monday that expanded on the flaws. Tenable warned that the exploit chain could let attackers gain root privileges on firewalls. Tenable said it also believes that CVE-2024-9474 is part of Operation Lunar Peek, though Palo Alto Networks has not shared additional details.

Palo Alto Networks provided the following statement to TechTarget Editorial:

These vulnerabilities could allow attackers to take control of firewalls if they have access to the management interface; internet-exposed management interfaces are at significantly higher risk. We are actively working with impacted customers and urge all organizations to immediately determine if their firewalls are at risk and apply the security patches as detailed in Security Advisory PAN-SA-2024-0015. Palo Alto Networks is committed to supporting the security of our customers.

This article was updated on 11/21/2024.

Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.

Dig Deeper on Threats and vulnerabilities