Full Report
Detect and mitigate CVE-2024-0012 and CVE-2024-9474, PAN-OS vulnerabilities which Wiz Threat Research has observed being exploited in-the-wild. Organizations should patch urgently.
Analysis Summary
# Vulnerability: Chained Authentication Bypass (CVE-2024-0012) and Privilege Escalation (CVE-2024-9474) leading to RCE on PAN-OS
## CVE Details
- CVE ID: CVE-2024-0012 and CVE-2024-9474 (Chained)
- CVSS Score: Not explicitly provided for the chain, but both are critical. (Implied Criticality)
- CWE: Not explicitly provided.
## Affected Systems
- Products: Palo Alto Networks PAN-OS
- Versions: Specific vulnerable versions were not listed in the context, but it affects the management interface.
- Configurations: Affects devices accessible via the PAN-OS management interface.
## Vulnerability Description
Two distinct vulnerabilities in PAN-OS, when chained, allow for unauthenticated Remote Code Execution (RCE) on the management interface.
1. **CVE-2024-0012 (Authentication Bypass):** Allows an attacker to bypass authentication controls on the management interface.
2. **CVE-2024-9474 (Privilege Escalation):** Allows an authenticated (or successfully bypassed) administrator to execute firewall actions with root privileges, specifically via a POST request creating a PHP session that leads to code execution.
Chaining these vulnerabilities grants an unauthenticated attacker administrative access and the ability to execute arbitrary code remotely.
## Exploitation
- Status: Exploited in the wild
- Complexity: Implied Low/Medium (Chaining required, but successful exploitation leads to full control)
- Attack Vector: Network (Requires network access to the management interface)
## Impact
- Confidentiality: High (Full administrative access allows data exfiltration)
- Integrity: High (Arbitrary administrative actions, deployment of web shells/malware)
- Availability: High (Potential for system disruption via root access)
Post-exploitation activity observed includes interactive command execution, deployment of web shells, and Sliver implants, and crypto miners.
## Remediation
### Patches
- Specific patched versions are contained in Palo Alto Networks advisories PAN-SA-2024-0015. Users must consult the vendor advisories for precise fixed versions.
### Workarounds
- No specific workarounds were detailed other than applying the patches. Implicitly, restricting network access to the management interface should limit external exposure.
## Detection
- **Indicators of Compromise (IOCs):**
- Presence of suspicious files/web shells in paths like `/var/appweb/htdocs/unauth/{4-6 random chars}.php`.
- Presence of Sliver implants, such as the one using C2 address `77.221.158[.]154`.
- Observed file hashes: `e9cd4829b3e64f2f6f45e2761d474f213009d4c8`, `af817679227921768e15a3a5971b263d5fcf6f75`, `caae3165bda2e4434f487dee30e39a92e808bfbc` (DaggerFly).
- **Detection Methods and Tools:**
- Utilize security platforms (like Wiz) that offer pre-built queries or templates (e.g., Nuclei template by watchTowr) to scan for vulnerable versions or deployed malware artifacts.
- Monitor management interface logs for unusual authentication attempts or root-level command execution.
## References
- Initial Palo Alto announcement: security dot paloaltonetworks dot com/PAN-SA-2024-0015
- Unit42's blog: unit42 dot paloaltonetworks dot com/cve-2024-0012-cve-2024-9474/
- CVE-2024-0012 advisory: security dot paloaltonetworks dot com/CVE-2024-0012
- CVE-2024-9474 advisory: security dot paloaltonetworks dot com/CVE-2024-9474
- watchTowr blog post: labs dot watchtowr dot com/pots-and-pans-aka-an-sslvpn-palo-alto-pan-os-cve-2024-0012-and-cve-2024-9474/
- Rapid7 Metasploit module: github dot com/rapid7/metasploit-framework/pull/19663