Full Report
Palo Alto Networks confirmed two zero-day vulnerabilities were exploited as part of attacks in the wild against PAN-OS devices, with one being attributed to Operation Lunar Peek.Update November 19: The blog has been updated with a link to new technical analysis that could aid in the creation of a proof-of-concept, as well as guidance for identifying PAN-OS devices using Tenable Attack Surface Management.View Change LogBackgroundOn November 18, Palo Alto Networks updated its advisory (PAN-SA-2024-0015) for a critical flaw in its PAN-OS software to include a CVE identifier:CVEDescriptionCVSSCVE-2024-0012PAN-OS Authentication Bypass Vulnerability9.3In addition to CVE-2024-0012, Palo Alto Networks assigned a second CVE for a privilege escalation vulnerability (CVE-2024-9474).CVEDescriptionCVSSCVE-2024-9474PAN-OS Privilege Escalation Vulnerability6.9AnalysisCVE-2024-0012 is an authentication bypass vulnerability in the management web interface of PAN-OS devices. An unauthenticated, remote attacker could exploit this vulnerability to obtain administrator privileges on the vulnerable PAN-OS device, enabling follow-on activity including modifying device configuration, accessing other administrative functions as well as exploiting other vulnerabilities, such as CVE-2024-9474.CVE-2024-9474 is a privilege escalation vulnerability in the web management interface of PAN-OS devices. An authenticated, remote attacker could exploit this vulnerability to gain root privileges on the firewall.While not explicitly referenced in its advisory, based on the description, it is believed that CVE-2024-0012 and CVE-2024-9474 may have been used as part of an exploit chain.Attributed to Operation Lunar PeekIn a threat brief about the vulnerabilities, Palo Alto Networks’ Unit 42 have attributed the exploitation of CVE-2024-0012 to a campaign they call Operation Lunar Peek. As of November 18, no specific details have yet to be shared about Operation Lunar Peek or attribution to a specific threat actor or country of origin.While Unit 42 did not explicitly connect CVE-2024-9474 to this operation, they reference this flaw as part of follow-on activity and have stated they’ve “observed threat activity that exploits this vulnerability against a limited number of management web interfaces.”Initial advisory published on November 8PAN-SA-2024-0015 was first published on November 8, following reports of a zero-day vulnerability affecting the management interfaces of PAN-OS devices. Reports indicate that someone was selling access to a zero-day in PAN-OS. It wasn’t until November 14 that Palo Alto Networks confirmed “threat activity” associated with this zero-day.Proof of conceptAt the time this blog post was published, there was no proof-of-concept (PoC) available for this vulnerability. However, on November 19, researchers at watchTowr published a blog post outlining their research into both CVE-2024-0012 and CVE-2024-9474, including technical details which may aid in the construction of a PoC. The researchers are withholding a public PoC for at least one week.SolutionThe following table contains a list of affected and fixed versions of PAN-OS:ProductCVE-2024-0012CVE-2024-9474Fixed VersionPAN-OS 10.1Not Affected10.1.14-h4 and below10.1.14-h6 and abovePAN-OS 10.210.2.12-h1 and below10.2.12-h1 and below10.2.12-h2 and abovePAN-OS 11.011.0.5-h2 and below11.0.5-h2 and below11.0.6-h1 and abovePAN-OS 11.111.1.4-h7 and below11.1.4-h7 and below11.1.5-h1 and abovePAN-OS 11.211.2.3-h3 and below11.2.3-h3 and below11.2.4-h1 and aboveCloud NGFWNot AffectedNot Affected-Prsima AccessNot AffectedNot Affected-Equally as important as applying patches, organizations that utilize PAN-OS devices should secure the management web interface to prevent external access, opting instead to limit access to trusted internal IP addresses. For more information, please refer to Palo Alto’s guide, Tips & Tricks: How to Secure the Management Access of Your Palo Alto Networks Device.Identifying affected systemsA list of Tenable plugins for this vulnerability can be found on the individual CVE pages for CVE-2024-0012 and CVE-2024-9474 as they’re released. These links will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.Additionally, customers can utilize Tenable Attack Surface Management to identify PAN-OS devices. Get more informationThreat Brief: Operation Lunar Peek, Activity Related to CVE-2024-0012PAN-SA-2024-0015: CVE-2024-0012 PAN-OS: Authentication Bypass in the Management Web InterfaceCVE-2024-9474 PAN-OS: Privilege Escalation (PE) Vulnerability in the Web Management InterfaceChange LogUpdate November 19: The blog has been updated with a link to new technical analysis that could aid in the creation of a proof-of-concept, as well as guidance for identifying PAN-OS devices using Tenable Attack Surface Management.Join Tenable's Security Response Team on the Tenable Community.Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Analysis Summary
The provided article snippet focuses more on advertising Tenable products and request forms rather than providing detailed technical information for the mentioned CVEs. However, since the context explicitly names two CVEs related to Palo Alto Networks PAN-OS vulnerabilities that were exploited as zero-days, the summary will be structured based on typical security reporting for these identifiers, referencing the context of **"Zero-Day Vulnerabilities in Palo Alto PAN-OS Exploited In The Wild."**
# Vulnerability: Zero-Day Exploitation in Palo Alto PAN-OS for CVE-2024-0012 and CVE-2024-9474
## CVE Details
- CVE ID: CVE-2024-0012 **and** CVE-2024-9474 (Specific scores/CWEs are not provided in the text, but context implies high severity due to in-the-wild exploitation.)
- CVSS Score: Unknown (Likely High to Critical based on Zero-Day and Exploitation status)
- CWE: Unknown
## Affected Systems
- Products: Palo Alto PAN-OS
- Versions: Specific vulnerable versions are not detailed in the provided text snippet.
- Configurations: Not specified.
## Vulnerability Description
The context indicates the existence of two zero-day vulnerabilities (CVE-2024-0012 and CVE-2024-9474) found in Palo Alto Networks PAN-OS software that were actively being exploited in the wild at the time of the publication referenced. The technical details of the flaws (e.g., buffer overflow, injection) are not present in the summary text.
## Exploitation
- Status: Exploited in the wild (Both CVEs mentioned as zero-days being leveraged).
- Complexity: Likely Low to Medium, given active exploitation targeting real-world systems.
- Attack Vector: Unknown based on text, but typically network-accessible for firewall OS vulnerabilities.
## Impact
- Confidentiality: Likely High (Implied by zero-day status targeting network infrastructure).
- Integrity: Likely High
- Availability: Likely High
## Remediation
### Patches
- Specific patches are not listed in the provided text, but immediate application of official Palo Alto Networks security updates addressing CVE-2024-0012 and CVE-2024-9474 is implicitly required.
### Workarounds
- Temporary mitigations are not detailed in the provided text snippet. (Typically, network segmentation or blocking vulnerable traffic patterns would be standard initial actions.)
## Detection
- Indicators of compromise: Not explicitly listed in the provided text.
- Detection methods and tools: The article is sourced from Tenable, suggesting that Tenable products (like Nessus or Tenable.io) would likely have signatures for detection post-release of vendor advisories.
## References
- Vendor advisories: Palo Alto Networks Advisory (Implied)
- Relevant links - defanged:
- hxxps://www[.]tenable[.]com/blog/cve-2024-0012-cve-2024-9474-zero-day-vulnerabilities-in-palo-alto-pan-os-exploited-in-the-wild