Full Report
Palo Alto Networks has confirmed the active exploitation of a critical remote code execution vulnerability (CVE-2024-0012) in the PAN-OS management interface. This vulnerability allows an unauthenticated attacker with network access to the management interface to bypass authen...
Analysis Summary
# Vulnerability: Critical RCE in PAN-OS Management Interface
## CVE Details
- CVE ID: CVE-2024-0012
- CVSS Score: **[Score Not Provided in Context]** ([Critical - Implied by RCE/Active Exploitation])
- CWE: [Weakness type not available]
## Affected Systems
- Products: PAN-OS
- Versions: Not specifically listed in the provided text, but applies to devices where the management interface is exposed.
- Configurations: Devices where management access is **not** restricted to trusted internal IPs. Prisma Access and cloud NGFW are believed to be **unaffected**.
## Vulnerability Description
A critical Remote Code Execution (RCE) vulnerability exists in the PAN-OS management interface. This flaw allows an unauthenticated attacker who has network access to the management interface to bypass authentication mechanisms, ultimately leading to the attacker obtaining administrator privileges and being able to perform administrative actions on the system.
## Exploitation
- Status: Exploited in the wild (Active exploitation confirmed as of November 17, 2024)
- Complexity: Implied Low (Unauthenticated and network-accessible)
- Attack Vector: Network (Requires network access to the management interface)
## Impact
- Confidentiality: High (Ability to browse system configuration/data via admin privileges)
- Integrity: High (Ability to perform administrative actions/modify configuration)
- Availability: High (Potential for service disruption via administrative takeover)
## Remediation
### Patches
- **[Specific patch versions not detailed in the context provided. Refer to vendor advisory for immediate download.]** Palo Alto Networks has released advisories addressing this vulnerability.
### Workarounds
- Immediately and critically restrict access to the management interface, limiting it only to trusted internal IP addresses, as per Palo Alto Networks best practice guidelines.
## Detection
- **Indicators of Compromise:** Active RCE exploitation suggests monitoring for anomalous administrative logins or configuration changes originating from unexpected network locations.
- **Detection Methods and Tools:** Cortex Xpanse and Cortex XSIAM users should check for alerts related to internet-exposed instances of PAN-OS.
## References
- Vendor Advisory: https://security.paloaltonetworks.com/PAN-SA-2024-0015