UPDATE
The Shadowserver Foundation on Nov. 20 reported that more than 2,000 Palo Alto Networks PAN-OS firewalls have been attacked since two security flaws – one of them critical – were reported on and patched earlier this month.
One security flaw was a critical 9.3 authentication bypass – CVE-2024-0012 – in the PAN-OS management web interface that remote attackers can potentially exploit to gain administrative privileges. The second bug – CVE-2024-9474 – is a medium severity 6.9 PAN-OS privilege escalation flaw that lets attackers run commands on firewalls with root privileges.
Recognizing that the two bugs chained together could allow for remote execution, the Cybersecurity and Infrastructure Security Agency (CISA) on Monday added both vulnerabilities to its Known Exploited Vulnerabilities Catalog. CISA is now requiring federal agencies to patch their firewalls by December 9, a move that CISA also encourages private sector organizations to follow.
As of 1:45 p.m. ET, an attempt to reach Palo Alto Networks for a comment on the most recent news involving the PAN-OS bugs was unsuccessful.
However, on Monday SC Media reported that Palo Alto Networks advised security teams to restrict access to the management interface to only trusted internal IP addresses to prevent external access from the Internet, adding that "the vast majority of firewalls already follow Palo Alto Networks and industry best practices"
The immediate danger with these bugs is that attackers exploiting these vulnerabilities can gain full control over affected firewalls, compromising the very systems designed to protect sensitive networks, explained Patrick Tiquet, vice president, security and architecture at Keeper Security.
“This opens the door for malware deployment, data theft, lateral movement within the network and even complete network shutdowns,” said Tiquet. “For organizations relying on these firewalls, this could mean business disruption, loss of sensitive data and exposure to regulatory and financial consequences.”
Tiquet added that beyond patching immediately, security teams must prioritize assessing the potential damage from compromised firewalls. This includes checking for unauthorized access, scanning for malware and reviewing configurations to ensure no additional vulnerabilities were introduced during the attack.
While patching all vulnerable PAN-OS devices is the first step, security teams also need to secure access to the management interface by restricting access only to trusted IP addresses, reducing the attack surface, said Mayuresh Dani, manager, security research at the Qualys Threat Research Unit.
“Sift through their installations and make sure none of the IOCs exist on their system,” said Dani. “If any of these exist, they should follow their organizational IR steps to remediate these devices."
Dani said teams should go through their installations and verify if they have not been altered in any way and undo those changes. If this cannot be done, teams should restore the last "known good" configuration update and verify that it's working properly. Dani added that any virtual PAN-OS versions should be strictly checked for "jump-to-host" exploit conditions and upgraded or decommissioned irrespectively.
A Palo Alto Networks spokesperson said the company has been actively investigating the scope of impact related to these vulnerabilities (CVE-2024-0012 and CVE-2024-9474) and is closely engaged with its customers to provide mitigation support as needed.
The company said: "It's important to understand the scale of Palo Alto's device ecosystem, which comprises hundreds of thousands of firewalls. While reports have circulated suggesting a specific number of impacted devices, the company said it's crucial to note that 2,000 represents less than half of 1% of all Palo Alto Networks firewalls deployed globally that remain potentially unpatched. That said, even one potentially impacted device is one too many for us. This is why Palo Alto Networks has been relentless in its communications with customers to help secure their firewalls."
The spokesperson continued: "On November 8th, we proactively provided information to our customers, advising them to take immediate steps to secure their device management interfaces and mitigate potential threats. This guidance proved effective, as we have observed no threat activity on the vast majority of customer deployments. While widespread exploit attempts were not observed until after the vulnerability was publicly disclosed on November 19th, we are actively helping customers who were unable to take mitigating action in time and require additional support."
Editor's Note: This story was updated with a statement from Palo Alto Networks at 5:15 p.m. Eastern on Nov. 25.
