CVE-2024-2552: PAN-OS: Arbitrary File Delete Vulnerability in the Command Line Interface (CLI) (Severity: MEDIUM)
First published: Wed Nov 13 2024(Updated: )
A command injection vulnerability in Palo Alto Networks PAN-OS software enables an authenticated administrator to bypass system restrictions in the management plane and delete files on the firewall.
Credit: psirt@paloaltonetworks.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Palo Alto Networks PAN-OS | >=10.2.0<10.2.7 | |
| Palo Alto Networks PAN-OS | >=11.0.0<11.0.6 | |
| Palo Alto Networks PAN-OS | >=11.1.0<11.1.4 | |
| Palo Alto Networks PAN-OS | >=11.2.0<11.2.4 | |
| Palo Alto Networks PAN-OS | =10.2.7 | |
| Palo Alto Networks PAN-OS | =10.2.7-h1 | |
| Palo Alto Networks PAN-OS | =10.2.7-h12 | |
| Palo Alto Networks PAN-OS | =10.2.7-h16 | |
| Palo Alto Networks PAN-OS | =10.2.7-h18 | |
| Palo Alto Networks PAN-OS | =10.2.7-h19 | |
| Palo Alto Networks PAN-OS | =10.2.7-h3 | |
| Palo Alto Networks PAN-OS | =10.2.7-h6 | |
| Palo Alto Networks PAN-OS | =10.2.7-h8 | |
| Palo Alto Networks PAN-OS | =10.2.8 | |
| Palo Alto Networks PAN-OS | =10.2.8-h10 | |
| Palo Alto Networks PAN-OS | =10.2.8-h13 | |
| Palo Alto Networks PAN-OS | =10.2.8-h15 | |
| Palo Alto Networks PAN-OS | =10.2.8-h3 | |
| Palo Alto Networks PAN-OS | =10.2.8-h4 | |
| Palo Alto Networks PAN-OS | =10.2.9 | |
| Palo Alto Networks PAN-OS | =10.2.9-h1 | |
| Palo Alto Networks PAN-OS | =10.2.9-h11 | |
| Palo Alto Networks PAN-OS | =10.2.9-h14 | |
| Palo Alto Networks PAN-OS | =10.2.9-h16 | |
| Palo Alto Networks PAN-OS | =10.2.9-h9 | |
| Palo Alto Networks PAN-OS | =10.2.10 | |
| Palo Alto Networks PAN-OS | =10.2.10-h2 | |
| Palo Alto Networks PAN-OS | =10.2.10-h3 | |
| Palo Alto Networks PAN-OS | =10.2.10-h4 | |
| Palo Alto Networks PAN-OS | =10.2.10-h5 | |
| Palo Alto Networks PAN-OS | =10.2.10-h7 | |
| Palo Alto Networks PAN-OS | =10.2.10-h9 | |
| Palo Alto Networks PAN-OS | =10.2.11 | |
| Palo Alto Networks PAN-OS | =10.2.11-h1 | |
| Palo Alto Networks PAN-OS | =10.2.11-h2 | |
| Palo Alto Networks PAN-OS | =10.2.11-h3 | |
| Palo Alto Networks PAN-OS | =10.2.11-h4 | |
| Palo Alto Networks PAN-OS | =10.2.11-h6 | |
| Palo Alto Networks PAN-OS | =11.1.4 | |
| Palo Alto Networks PAN-OS | =11.1.4-h1 | |
| Palo Alto Networks PAN-OS | =11.1.4-h4 | |
| Palo Alto Networks PAN-OS | =11.1.4-h7 | |
| Palo Alto Networks Cloud NGFW | ||
| Palo Alto PAN-OS | <11.2.4=11.2.0<11.1.5=11.1.0<11.0.6=11.0.0<10.2.12=10.2.0 | 11.2.4 11.1.5 11.1.4-h9 11.0.6 10.2.12 10.2.9-h18 10.2.8-h18 10.2.10-h10 10.2.11-h9 10.2.7-h21 |
| Palo Alto Networks Prisma Access |
Remedy
We strongly recommend customers to ensure access to your management interface is configured correctly in accordance with our recommended best practice deployment guidelines. In particular, we recommend that you ensure that access to the management interface is possible only from trusted internal IPs and not from the Internet. The vast majority of firewalls already follow this Palo Alto Networks and industry best practice. Please see the following link for additional information regarding how to secure the management access of your palo alto networks device: https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431
Remedy
This issue is fixed in PAN-OS 10.2.12, PAN-OS 11.0.6, PAN-OS 11.1.5, PAN-OS 11.2.4, and all later PAN-OS versions. In addition, in an attempt to provide the most seamless upgrade path for our customers, we are making additional fixes available as noted below: * Additional 11.1 fix: * 11.1.4-h9 * Additional 10.2 fixes: * 10.2.11-h9 * 10.2.10-h10 * 10.2.9-h18 * 10.2.8-h18 * 10.2.7-h21
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-2552?
CVE-2024-2552 is classified as a critical severity vulnerability due to its ability to allow authenticated administrators to execute unauthorized commands.
How do I fix CVE-2024-2552?
To fix CVE-2024-2552, update your Palo Alto Networks PAN-OS to the latest patched version listed by the vendor.
Which versions are affected by CVE-2024-2552?
CVE-2024-2552 affects multiple versions of PAN-OS, including versions up to 11.2.4, as well as specific prior versions.
Who can exploit CVE-2024-2552?
CVE-2024-2552 can be exploited by an authenticated administrator with access to the management plane.
What are the potential outcomes of exploiting CVE-2024-2552?
Exploitation of CVE-2024-2552 could lead to unauthorized file deletion on the firewall, compromising the integrity and security of the system.
- agent/weakness
- agent/references
- agent/type
- agent/author
- collector/mitre-cve
- source/MITRE
- agent/title
- agent/description
- agent/trending
- agent/first-publish-date
- collector/paloaltonetworks-latest
- source/Palo Alto Networks
- agent/remedy
- agent/source
- agent/last-modified-date
- agent/severity
- agent/event
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/softwarecombine
- agent/tags
- collector/paloaltonetworks-api
- vendor/paloaltonetworks
- canonical/palo alto networks pan-os
- version/palo alto networks pan-os/10.2.0
- version/palo alto networks pan-os/11.0.0
- version/palo alto networks pan-os/11.1.0
- version/palo alto networks pan-os/11.2.0
- version/palo alto networks pan-os/10.2.7
- version/palo alto networks pan-os/10.2.7-h1
- version/palo alto networks pan-os/10.2.7-h12
- version/palo alto networks pan-os/10.2.7-h16
- version/palo alto networks pan-os/10.2.7-h18
- version/palo alto networks pan-os/10.2.7-h19
- version/palo alto networks pan-os/10.2.7-h3
- version/palo alto networks pan-os/10.2.7-h6
- version/palo alto networks pan-os/10.2.7-h8
- version/palo alto networks pan-os/10.2.8
- version/palo alto networks pan-os/10.2.8-h10
- version/palo alto networks pan-os/10.2.8-h13
- version/palo alto networks pan-os/10.2.8-h15
- version/palo alto networks pan-os/10.2.8-h3
- version/palo alto networks pan-os/10.2.8-h4
- version/palo alto networks pan-os/10.2.9
- version/palo alto networks pan-os/10.2.9-h1
- version/palo alto networks pan-os/10.2.9-h11
- version/palo alto networks pan-os/10.2.9-h14
- version/palo alto networks pan-os/10.2.9-h16
- version/palo alto networks pan-os/10.2.9-h9
- version/palo alto networks pan-os/10.2.10
- version/palo alto networks pan-os/10.2.10-h2
- version/palo alto networks pan-os/10.2.10-h3
- version/palo alto networks pan-os/10.2.10-h4
- version/palo alto networks pan-os/10.2.10-h5
- version/palo alto networks pan-os/10.2.10-h7
- version/palo alto networks pan-os/10.2.10-h9
- version/palo alto networks pan-os/10.2.11
- version/palo alto networks pan-os/10.2.11-h1
- version/palo alto networks pan-os/10.2.11-h2
- version/palo alto networks pan-os/10.2.11-h3
- version/palo alto networks pan-os/10.2.11-h4
- version/palo alto networks pan-os/10.2.11-h6
- version/palo alto networks pan-os/11.1.4
- version/palo alto networks pan-os/11.1.4-h1
- version/palo alto networks pan-os/11.1.4-h4
- version/palo alto networks pan-os/11.1.4-h7
- vendor/palo alto networks
- canonical/palo alto networks cloud ngfw
- canonical/palo alto pan-os
- version/palo alto pan-os/11.2.0
- version/palo alto pan-os/11.1.0
- version/palo alto pan-os/11.0.0
- version/palo alto pan-os/10.2.0
- canonical/palo alto networks prisma access