Palo Alto CVE-2024-0012 and CVE-2024-9474 Vulnerabilities Explained

The Red Report 2024

Defend Against the Top 10 MITRE ATT&CK TTPs

DOWNLOAD

On November 18th, 2024, Palo Alto Networks disclosed two critical vulnerabilities affecting PAN-OS software [1]. CVE-2024-0012 is an authentication bypass vulnerability that allows attackers to execute arbitrary commands with administrator privileges. CVE-2024-9474 is a privilege escalation vulnerability that allows attackers with administrator access to run commands on the firewall with root privileges. These vulnerabilities are believed to be exploited in conjunction for root access to Palo Alto appliances and organizations are advised to patch their vulnerable PAN-OS software as soon as possible.

In this blog, we explained how the Palo Alto PAN-OS CVE-2024-0012 and CVE-2024-9474 vulnerabilities work and how organizations can defend against CVE-2024-0012 and CVE-2024-9474 attacks.

Simulate Vulnerability Exploitation Attacks with 14-Day Free Trial of Picus Platform

Palo Alto PAN-OS CVE-2024-0012 and CVE-2024-9474 Vulnerabilities Explained

PAN-OS is the operating system that powers many Palo Alto Networks' Next-Gen Firewalls (NGFWs) and other security appliances. On November 18th, 2024, Palo Alto disclosed a security advisory about two vulnerabilities affecting PAN-OS software. CVE-2024-0012 is an authentication bypass vulnerability that allows attackers to gain administrative privileges in affected products. CVE-2024-0012 has a CVSS score of 9.3 (Critical). The other vulnerability disclosed in Palo Alto's advisory is CVE-2024-9474, a privilege escalation vulnerability that is believed to be exploited in the wild in conjunction with CVE-2024-0012. When exploited together, these vulnerabilities enable unauthenticated adversaries to run arbitrary commands on the firewall with root privileges. 

CVE-2024-0012 and CVE-2024-9474 vulnerabilities affect the products below, and organizations are advised to patch their vulnerable PAN-OS software without delay.

Product Name

Affected Versions

Fixed Versions

PAN-OS 11.2

Version earlier than 11.2.4-h1

11.2.4-h1 and later

PAN-OS 11.1

Version earlier than 11.1.5-h1

11.1.5-h1 and later

PAN-OS 11.0

Version earlier than 11.0.6-h1

11.0.6-h1 and later

PAN-OS 10.2

Version earlier than 10.2.12-h2

10.2.12-h2 and later

PAN-OS 10.1

(unaffected by CVE-2024-0012)

Version earlier than 10.1.14-h6

10.1.14-h6 and later

How PAN-OS CVE-2024-0012 Exploit Works?

CVE-2024-0012 vulnerability is caused by a CWE-306 weakness found in the uiEnvSetup.php script [2]. This script checks whether the HTTP header HTTP_X_PAN_AUTHCHECK is set to "on" or "off". If the header is set to "on", the script redirects users to the login page. Although the header is set to "on" in the default configuration, adversaries can craft a malicious HTTP GET request with the X-PAN-AUTHCHECK header set to "off" and bypass authentication.

The example HTTP GET request below exploits the CVE-2024-0012 vulnerability to access PHP scripts without authentication.

GET /php/ztp_gate.php/.js.map HTTP/1.1
Host:
X-PAN-AUTHCHECK: off

Palo Alto PAN-OS CVE-2024-0012 Vulnerability Exploit Example

How PAN-OS CVE-2024-9474 Exploit Works?

CVE-2024-9474 vulnerability is a privilege escalation vulnerability that allows authenticated attackers to run commands in vulnerable appliances with root privileges. The vulnerability is found in the createRemoteAppwebSession.php script. This script allows attackers to create arbitrary users with arbitrary roles and assigns a PHP session ID used as an authentication token. Attackers can then upload their malicious PHP code using the PHP session ID and execute commands in the vulnerable products with root privileges.

Post Exploitation Payloads

Hash Value (SHA256)

PHP webshell payload dropped on a compromised firewall

3C5F9034C86CB1952AA5BB07B4F77CE7D8BB5CC9FE5C029A32C72ADC7E814668

How Picus Helps Simulate Palo Alto CVE-2024-0012 and CVE-2024-9474 Attacks?

We also strongly suggest simulating the Palo Alto CVE-2024-0012 and CVE-2024-9474 vulnerabilities to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus Security Validation Platform. You can also test your defenses against other vulnerability exploitation attacks, such as regreSSHion, Citrix Bleed, and Follina, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for Palo Alto CVE-2024-0012 and CVE-2024-9474  vulnerability exploitation attacks:

Threat ID

Threat Name

Attack Module

39549

Palo Alto Networks Web Attack Campaign

Web Application

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address Palo Alto CVE-2024-0012 and Palo Alto CVE-2024-9474 vulnerability exploitation attacks in preventive security controls. Currently, Picus Labs validated the following signatures for Palo Alto CVE-2024-0012 and Palo Alto CVE-2024-9474:

Security Control

Signature ID

Signature Name

Check Point NGFW

asm_dynamic_prop_CVE_2024_0012

Palo Alto Networks PAN-OS Authentication Bypass (CVE-2024-0012)

Citrix NetScaler WAF

 

Blocked by 'HTML Command Injection' Security Check

F5 BIG-IP WAF

200003924

"echo" execution attempt (2)

F5 BIG-IP WAF

200003045

Unix/Linux "echo" execution attempt (Parameter)

F5 BIG-IP WAF

200003044

Unix/Linux "uname" execution attempt (Parameter)

Fortinet FortiGate NGFW

56894

Palo.Alto.Networks.PAN-OS.Web.Interface.Authentication.Bypass

ModSecurity WAF

932100

Remote Command Execution: Unix Command Injection

ModSecurity WAF

932105

Remote Command Execution: Unix Command Injection

ModSecurity WAF

932130

Remote Command Execution: Unix Shell Expression Found

ModSecurity WAF

932200

RCE Bypass Technique

Palo Alto Networks NGFW

95746

Generic Malicious HTTP Request Detection

Snort IPS

1.2057705.1

ET WEB_SPECIFIC_APPS Palo Alto PAN-OS Authentication Bypass (CVE-2024-0012)

Snort IPS

1.2057706.1

ET WEB_SPECIFIC_APPS Palo Alto PAN-OS Command Injection in User Parameter

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trialof the Picus Security Validation Platform.

References

[1] Unit, "Threat Brief: Operation Lunar Peek, Activity Related to CVE-2024-0012," Unit 42, Nov. 18, 2024. Available: https://unit42.paloaltonetworks.com/cve-2024-0012-cve-2024-9474/. [Accessed: Nov. 19, 2024]

[2] Sonny, "Pots and Pans, AKA an SSLVPN - Palo Alto PAN-OS CVE-2024-0012 and CVE-2024-9474," watchTowr Labs - Blog, Nov. 19, 2024. Available: https://labs.watchtowr.com/pots-and-pans-aka-an-sslvpn-palo-alto-pan-os-cve-2024-0012-and-cve-2024-9474/. [Accessed: Nov. 19, 2024]