On November 18th, 2024, Palo Alto Networks disclosed two critical vulnerabilities affecting PAN-OS software [1]. CVE-2024-0012 is an authentication bypass vulnerability that allows attackers to execute arbitrary commands with administrator privileges. CVE-2024-9474 is a privilege escalation vulnerability that allows attackers with administrator access to run commands on the firewall with root privileges. These vulnerabilities are believed to be exploited in conjunction for root access to Palo Alto appliances and organizations are advised to patch their vulnerable PAN-OS software as soon as possible.
In this blog, we explained how the Palo Alto PAN-OS CVE-2024-0012 and CVE-2024-9474 vulnerabilities work and how organizations can defend against CVE-2024-0012 and CVE-2024-9474 attacks.
Simulate Vulnerability Exploitation Attacks with 14-Day Free Trial of Picus Platform
Palo Alto PAN-OS CVE-2024-0012 and CVE-2024-9474 Vulnerabilities Explained
PAN-OS is the operating system that powers many Palo Alto Networks' Next-Gen Firewalls (NGFWs) and other security appliances. On November 18th, 2024, Palo Alto disclosed a security advisory about two vulnerabilities affecting PAN-OS software. CVE-2024-0012 is an authentication bypass vulnerability that allows attackers to gain administrative privileges in affected products. CVE-2024-0012 has a CVSS score of 9.3 (Critical). The other vulnerability disclosed in Palo Alto's advisory is CVE-2024-9474, a privilege escalation vulnerability that is believed to be exploited in the wild in conjunction with CVE-2024-0012. When exploited together, these vulnerabilities enable unauthenticated adversaries to run arbitrary commands on the firewall with root privileges.
CVE-2024-0012 and CVE-2024-9474 vulnerabilities affect the products below, and organizations are advised to patch their vulnerable PAN-OS software without delay.
Product Name |
Affected Versions |
Fixed Versions |
PAN-OS 11.2 |
Version earlier than 11.2.4-h1 |
11.2.4-h1 and later |
PAN-OS 11.1 |
Version earlier than 11.1.5-h1 |
11.1.5-h1 and later |
PAN-OS 11.0 |
Version earlier than 11.0.6-h1 |
11.0.6-h1 and later |
PAN-OS 10.2 |
Version earlier than 10.2.12-h2 |
10.2.12-h2 and later |
PAN-OS 10.1 (unaffected by CVE-2024-0012) |
Version earlier than 10.1.14-h6 |
10.1.14-h6 and later |
How PAN-OS CVE-2024-0012 Exploit Works?
CVE-2024-0012 vulnerability is caused by a CWE-306 weakness found in the uiEnvSetup.php script [2]. This script checks whether the HTTP header HTTP_X_PAN_AUTHCHECK is set to "on" or "off". If the header is set to "on", the script redirects users to the login page. Although the header is set to "on" in the default configuration, adversaries can craft a malicious HTTP GET request with the X-PAN-AUTHCHECK header set to "off" and bypass authentication.
The example HTTP GET request below exploits the CVE-2024-0012 vulnerability to access PHP scripts without authentication.
GET /php/ztp_gate.php/.js.map HTTP/1.1 |
Palo Alto PAN-OS CVE-2024-0012 Vulnerability Exploit Example
How PAN-OS CVE-2024-9474 Exploit Works?
CVE-2024-9474 vulnerability is a privilege escalation vulnerability that allows authenticated attackers to run commands in vulnerable appliances with root privileges. The vulnerability is found in the createRemoteAppwebSession.php script. This script allows attackers to create arbitrary users with arbitrary roles and assigns a PHP session ID used as an authentication token. Attackers can then upload their malicious PHP code using the PHP session ID and execute commands in the vulnerable products with root privileges.
Post Exploitation Payloads |
Hash Value (SHA256) |
PHP webshell payload dropped on a compromised firewall |
3C5F9034C86CB1952AA5BB07B4F77CE7D8BB5CC9FE5C029A32C72ADC7E814668 |
How Picus Helps Simulate Palo Alto CVE-2024-0012 and CVE-2024-9474 Attacks?
We also strongly suggest simulating the Palo Alto CVE-2024-0012 and CVE-2024-9474 vulnerabilities to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus Security Validation Platform. You can also test your defenses against other vulnerability exploitation attacks, such as regreSSHion, Citrix Bleed, and Follina, within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for Palo Alto CVE-2024-0012 and CVE-2024-9474 vulnerability exploitation attacks:
Threat ID |
Threat Name |
Attack Module |
39549 |
Palo Alto Networks Web Attack Campaign |
Web Application |
Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address Palo Alto CVE-2024-0012 and Palo Alto CVE-2024-9474 vulnerability exploitation attacks in preventive security controls. Currently, Picus Labs validated the following signatures for Palo Alto CVE-2024-0012 and Palo Alto CVE-2024-9474:
Security Control |
Signature ID |
Signature Name |
Check Point NGFW |
asm_dynamic_prop_CVE_2024_0012 |
Palo Alto Networks PAN-OS Authentication Bypass (CVE-2024-0012) |
Citrix NetScaler WAF |
Blocked by 'HTML Command Injection' Security Check |
|
F5 BIG-IP WAF |
200003924 |
"echo" execution attempt (2) |
F5 BIG-IP WAF |
200003045 |
Unix/Linux "echo" execution attempt (Parameter) |
F5 BIG-IP WAF |
200003044 |
Unix/Linux "uname" execution attempt (Parameter) |
Fortinet FortiGate NGFW |
56894 |
Palo.Alto.Networks.PAN-OS.Web.Interface.Authentication.Bypass |
ModSecurity WAF |
932100 |
Remote Command Execution: Unix Command Injection |
ModSecurity WAF |
932105 |
Remote Command Execution: Unix Command Injection |
ModSecurity WAF |
932130 |
Remote Command Execution: Unix Shell Expression Found |
ModSecurity WAF |
932200 |
RCE Bypass Technique |
Palo Alto Networks NGFW |
95746 |
Generic Malicious HTTP Request Detection |
Snort IPS |
1.2057705.1 |
ET WEB_SPECIFIC_APPS Palo Alto PAN-OS Authentication Bypass (CVE-2024-0012) |
Snort IPS |
1.2057706.1 |
ET WEB_SPECIFIC_APPS Palo Alto PAN-OS Command Injection in User Parameter |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of the Picus Security Validation Platform.
References
[1] Unit, "Threat Brief: Operation Lunar Peek, Activity Related to CVE-2024-0012," Unit 42, Nov. 18, 2024. Available: https://unit42.paloaltonetworks.com/cve-2024-0012-cve-2024-9474/. [Accessed: Nov. 19, 2024]
[2] Sonny, "Pots and Pans, AKA an SSLVPN - Palo Alto PAN-OS CVE-2024-0012 and CVE-2024-9474," watchTowr Labs - Blog, Nov. 19, 2024. Available: https://labs.watchtowr.com/pots-and-pans-aka-an-sslvpn-palo-alto-pan-os-cve-2024-0012-and-cve-2024-9474/. [Accessed: Nov. 19, 2024]