Defensive Security Services

New PAN-OS Vulnerability Exposed: Steps to Defend Your Network 

On November 13, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) released a threat alert for a remote code execution vulnerability in the Palo Alto Networks PAN-OS management interface. As detailed in the Palo Alto Network security advisory, the remote code execution (RCE) vulnerability, rated as critical, allows for a threat actor to bypass PAN-OS authentication to access the management web interface.  

Once accessed, the threat actor gains PAN-OS administrator privileges allowing them to perform administrative actions like configuration tampering or exploit other vulnerabilities like CVE-2024-9474. As of November 15th, Palo Alto Networks reported observing threat activity exploiting the vulnerability.  
 

Alert and Advisory: 

Why is this vulnerability critical? 

The vulnerability is an unauthenticated RCE affording the threat actor privileged access once exploited. Many organizations have their management consoles accessible to the internet allowing for easy discovery and access by a threat actor. Additionally, Palo Alto Networks has identified exploitation of the vulnerability since the advisory was published increasing the urgency of remediation. 

External IP Access Allowed: CVSS-BT: 9.3 / CVSS-B: 9.3
AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:N/SA:N/E:A/AU:N/R:U/V:C/RE:H/U:Red 

Organizations with a managed virtual local area network (VLAN) or secure jump box requirements for management console access are still impacted by the vulnerability but with reduced exposure. 

Access via VLAN/Jump Box: CVSS-BT: 5.9 / CVSS-B: 5.9
AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:A/AU:N/R:U/V:C/RE:H/U:Red 

Which versions of PAN-OS are impacted? 

The versions impacted by the vulnerability are widely used by many Palo Alto Networks customers and there is no indication of impact to Cloud NGFW or Prisma Access. 

Impacted Versions:  

  • PAN-OS 10.2  
  • PAN-OS 11.0 
  • PAN-OS 11.1  
  • PAN-OS 11.2 
     

How can organizations mitigate the vulnerability? 

The first step in mitigating this vulnerability is to restrict access to the management console to specific internal IP addresses (management network). Additionally, specific Palo Alto Network Threat IDs can be blocked if you are subscribed to the Threat Prevention Services. Details for the actions required to block using the Threat IDs can be found in the security advisory.1 

 Threat IDs:  

  • 95746 
  • 95747 
  • 95752 
  • 95753 
  • 95759 
  • 95763 

It is also recommended to update the vulnerable PAN-OS software to a fixed version: PAN-OS 10.2.12-h2, PAN-OS 11.0.6-h1, PAN-OS 11.1.5-h1, PAN-OS 11.2.4-h1, and all later PAN-OS versions. 

For more mitigation and workaround information, a LIVEcommunity article was created to track the vulnerability and remediation actions: Palo Alto Networks LIVEcommunity article:https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 

What are the best practices to secure management consoles? 

 Organizations will often have their management consoles exposed to the internet, especially with the movement to work from anywhere, to facility easy access. This exposure creates a severe risk to the organization as the exposure can facilitate malicious access by a threat actor or general information leakage.  

To help mitigate the risk of the exposure management console, organizations should: 

Isolate the management console to a dedicated network. Remote access can be facilitated using a virtual private network (VPN) or jump server. 

Implement an access control list (ACL) of approved IP addresses from management devices or the jump server to only allow logins from approved devices. 

Only allow access to the management console from secure communication protocols such as SSH or HTTPs. 

Complete a best practice assessment of your firewalls to identify any risks or misconfigurations including an exposed management console. Assessments should be completed on a regular basis to ensure best practices and industry standards are adhered to as new services or features are enabled and the operating systems are updated. 

Continuously monitor your attack surface, this action can help to quickly identify risks like exposed management consoles to allow you to mitigate the risk or track exposures in real-time. 

Palo Alto Networks also has published tips and tricks for secure management access of Palo Alto Network devices: https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 

Are you ready to get started?