- Vulnerability/
- CVE-2024-0012
CVE-2024-0012: PAN-OS: Authentication Bypass in the Management Web Interface (PAN-SA-2024-0015) (Severity: CRITICAL)
First published: Mon Nov 18 2024(Updated: )
An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474 https://security.paloaltonetworks.com/CVE-2024-9474 . The risk of this issue is greatly reduced if you secure access to the management web interface by restricting access to only trusted internal IP addresses according to our recommended best practice deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 . This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, PAN-OS 11.1, and PAN-OS 11.2 software. Cloud NGFW and Prisma Access are not impacted by this vulnerability.
Credit: psirt@paloaltonetworks.com psirt@paloaltonetworks.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Palo Alto Networks PAN-OS | ||
| Palo Alto Networks PAN-OS | >=10.2.0<10.2.12 | |
| Palo Alto Networks PAN-OS | >=11.0.0<11.0.6 | |
| Palo Alto Networks PAN-OS | >=11.1.0<11.1.5 | |
| Palo Alto Networks PAN-OS | >=11.2.0<11.2.4 | |
| Palo Alto Networks PAN-OS | =10.2.12 | |
| Palo Alto Networks PAN-OS | =10.2.12-h1 | |
| Palo Alto Networks PAN-OS | =11.0.6 | |
| Palo Alto Networks PAN-OS | =11.1.5 | |
| Palo Alto Networks PAN-OS | =11.2.4 | |
| Palo Alto Networks Cloud NGFW | ||
| Palo Alto Networks PAN-OS | <11.2.4-h1=11.2.0<11.1.5-h1=11.1.0<11.0.6-h1=11.0.0<10.2.12-h2=10.2.0 | 11.2.4-h1 11.2.1-h1 11.2.2-h2 11.2.3-h3 11.1.5-h1 11.1.0-h4 11.1.1-h2 11.1.2-h15 11.1.3-h11 11.1.4-h7 11.0.6-h1 11.0.0-h4 11.0.1-h5 11.0.2-h5 11.0.3-h13 11.0.4-h6 11.0.5-h2 10.2.12-h2 10.2.0-h4 10.2.1-h3 10.2.2-h6 10.2.3-h14 10.2.4-h32 10.2.5-h9 10.2.6-h6 10.2.7-h18 10.2.8-h15 10.2.9-h16 10.2.10-h9 10.2.11-h6 |
| Palo Alto Networks Prisma Access |
Remedy
Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable. Additionally, management interface for affected devices should not be exposed to untrusted networks, including the internet.
Remedy
Recommended mitigation—The vast majority of firewalls already follow Palo Alto Networks and industry best practices. However, if you haven’t already, we strongly recommend that you secure access to your management interface according to our best practice deployment guidelines. Specifically, you should restrict access to the management interface to only trusted internal IP addresses to prevent external access from the internet. Additionally, if you have a Threat Prevention subscription, you can block these attacks using Threat IDs 95746, 95747, 95752, 95753, 95759, and 95763 (available in Applications and Threats content version 8915-9075 and later). For these Threat IDs to protect against attacks for this vulnerability, * Ensure that all the listed Threat IDs are set to block mode, * Route incoming traffic for the MGT port through a DP port (https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices#id59206398-3dab-4b2f-9b4b-7ea500d036ba), e.g., enabling management profile on a DP interface for management access, * Replace the Certificate for Inbound Traffic Management (https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices#id112f7714-8995-4496-bbf9-781e63dec71c), * Decrypt inbound traffic to the management interface so the firewall can inspect it (https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices#idbbd82587-17a2-42b4-9245-d3714e1e13a2), and * Enable threat prevention on the inbound traffic to management services. Review information about how to secure management access to your Palo Alto Networks firewalls: * Palo Alto Networks LIVEcommunity article: https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 * Palo Alto Networks official and more detailed technical documentation: https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices
Remedy
We strongly recommend that you secure access to your management interface following the instructions in the workarounds section below. This issue is fixed in PAN-OS 10.2.12-h2, PAN-OS 11.0.6-h1, PAN-OS 11.1.5-h1, PAN-OS 11.2.4-h1, and all later PAN-OS versions. In addition, in an attempt to provide the most seamless upgrade path for our customers, we are making fixes available for other TAC-preferred and commonly deployed maintenance releases. * Additional PAN-OS 11.2 fixes: * 11.2.0-h1 * 11.2.1-h1 * 11.2.2-h2 * 11.2.3-h3 * 11.2.4-h1 * Additional PAN-OS 11.1 fixes: * 11.1.0-h4 * 11.1.1-h2 * 11.1.2-h15 * 11.1.3-h11 * 11.1.4-h7 * 11.1.5-h1 * Additional PAN-OS 11.0 fixes: * 11.0.0-h4 * 11.0.1-h5 * 11.0.2-h5 * 11.0.3-h13 * 11.0.4-h6 * 11.0.5-h2 * 11.0.6-h1 * Additional PAN-OS 10.2 fixes: * 10.2.0-h4 * 10.2.1-h3 * 10.2.2-h6 * 10.2.3-h14 * 10.2.4-h32 * 10.2.5-h9 * 10.2.6-h6 * 10.2.7-h18 * 10.2.8-h15 * 10.2.9-h16 * 10.2.10-h9 * 10.2.11-h6 * 10.2.12-h2
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://security.paloaltonetworks.com/CVE-2024-0012
- https://nvd.nist.gov/vuln/detail/CVE-2024-0012
- https://www.bleepingcomputer.com/news/security/palo-alto-networks-patches-two-firewall-zero-days-used-in-attacks/
- https://www.bleepingcomputer.com/news/security/palo-alto-networks-warns-of-critical-rce-zero-day-exploited-in-attacks/
- https://www.theregister.com/2024/11/19/palo_alto_networks_patches/
- https://www.bleepingcomputer.com/news/security/cisa-tags-progress-kemp-loadmaster-flaw-as-exploited-in-attacks/
- https://www.bleepingcomputer.com/news/security/over-2-000-palo-alto-firewalls-hacked-using-recently-patched-bugs/
- https://www.theregister.com/2024/11/22/palo_alto_firewalls_under_exploit/
- https://unit42.paloaltonetworks.com/cve-2024-0012-cve-2024-9474/
- https://labs.watchtowr.com/pots-and-pans-aka-an-sslvpn-palo-alto-pan-os-cve-2024-0012-and-cve-2024-9474/
- agent/weakness
- agent/type
- exploited/true
- collector/cisa-known-exploited
- source/CISA
- agent/software-canonical-lookup
- agent/first-publish-date
- agent/author
- collector/bleeping-computer
- source/BleepingComputer
- alias/CVE-2024-0012
- alias/CVE-2024-9474
- alias/CVE-2024-5910
- collector/the-register
- source/The Register
- alias/CVE-2024-1212
- alias/CVE-2024-7591
- alias/CVE-2024-3400
- agent/references
- collector/paloaltonetworks-latest
- source/Palo Alto Networks
- agent/title
- agent/severity
- collector/mitre-cve
- source/MITRE
- agent/event
- agent/remedy
- agent/description
- agent/trending
- agent/last-modified-date
- agent/source
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup-request
- collector/nvd-cve
- agent/softwarecombine
- agent/tags
- collector/paloaltonetworks-api
- vendor/palo alto networks
- canonical/palo alto networks pan-os
- vendor/paloaltonetworks
- version/palo alto networks pan-os/10.2.0
- version/palo alto networks pan-os/11.0.0
- version/palo alto networks pan-os/11.1.0
- version/palo alto networks pan-os/11.2.0
- version/palo alto networks pan-os/10.2.12
- version/palo alto networks pan-os/10.2.12-h1
- version/palo alto networks pan-os/11.0.6
- version/palo alto networks pan-os/11.1.5
- version/palo alto networks pan-os/11.2.4