Action not permitted
Modal body text goes here.
Modal Title
Modal Body
wid-sec-w-2024-3398
Vulnerability from csaf_certbund
Published
2024-11-10 23:00
Modified
2024-11-21 23:00
Summary
PaloAlto Networks PAN-OS: Mehrere Schwachstellen ermöglichen Privilegieneskalation
Notes
Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.
Produktbeschreibung
PAN-OS ist das Betriebssystem der Sicherheitssysteme / Firewalls der Firma Palo Alto Networks.
Angriff
Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in PaloAlto Networks PAN-OS ausnutzen, um die Authentisierung zu umgehen und anschließend Root-Rechte zu erlangen.
Betroffene Betriebssysteme
- Appliance
- Hardware Appliance
{ document: { aggregate_severity: { text: "kritisch", }, category: "csaf_base", csaf_version: "2.0", distribution: { tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "de-DE", notes: [ { category: "legal_disclaimer", text: "Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.", }, { category: "description", text: "PAN-OS ist das Betriebssystem der Sicherheitssysteme / Firewalls der Firma Palo Alto Networks.", title: "Produktbeschreibung", }, { category: "summary", text: "Ein entfernter, anonymer Angreifer kann mehrere Schwachstellen in PaloAlto Networks PAN-OS ausnutzen, um die Authentisierung zu umgehen und anschließend Root-Rechte zu erlangen.", title: "Angriff", }, { category: "general", text: "- Appliance\n- Hardware Appliance", title: "Betroffene Betriebssysteme", }, ], publisher: { category: "other", contact_details: "csaf-provider@cert-bund.de", name: "Bundesamt für Sicherheit in der Informationstechnik", namespace: "https://www.bsi.bund.de", }, references: [ { category: "self", summary: "WID-SEC-W-2024-3398 - CSAF Version", url: "https://wid.cert-bund.de/.well-known/csaf/white/2024/wid-sec-w-2024-3398.json", }, { category: "self", summary: "WID-SEC-2024-3398 - Portal Version", url: "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2024-3398", }, { category: "external", summary: "Palo Alto Networks Security Advisories vom 2024-11-10", url: "https://security.paloaltonetworks.com/PAN-SA-2024-0015", }, { category: "external", summary: "Palo Alto Networks Security Advisories vom 2024-11-14", url: "https://security.paloaltonetworks.com/PAN-SA-2024-0015", }, { category: "external", summary: "Palo Alto Networks Security Advisories / CVE-2024-0012", url: "https://security.paloaltonetworks.com/CVE-2024-0012", }, { category: "external", summary: "Palo Alto Networks Security Advisories / CVE-2024-9474", url: "https://security.paloaltonetworks.com/CVE-2024-9474", }, { category: "external", summary: "Threat Brief: Operation Lunar Peek, Activity Related to CVE-2024-0012", url: "https://unit42.paloaltonetworks.com/cve-2024-0012-cve-2024-9474/", }, { category: "external", summary: "WatchTower Labs Vulnerability Research vom 2024-11-21", url: "https://labs.watchtowr.com/pots-and-pans-aka-an-sslvpn-palo-alto-pan-os-cve-2024-0012-and-cve-2024-9474/", }, ], source_lang: "en-US", title: "PaloAlto Networks PAN-OS: Mehrere Schwachstellen ermöglichen Privilegieneskalation", tracking: { current_release_date: "2024-11-21T23:00:00.000+00:00", generator: { date: "2024-11-22T10:38:12.360+00:00", engine: { name: "BSI-WID", version: "1.3.8", }, }, id: "WID-SEC-W-2024-3398", initial_release_date: "2024-11-10T23:00:00.000+00:00", revision_history: [ { date: "2024-11-10T23:00:00.000+00:00", number: "1", summary: "Initiale Fassung", }, { date: "2024-11-14T23:00:00.000+00:00", number: "2", summary: "Schwachstelle wird aktiv ausgenutzt", }, { date: "2024-11-18T23:00:00.000+00:00", number: "3", summary: "Updates von PaloAlto aufgenommen", }, { date: "2024-11-21T23:00:00.000+00:00", number: "4", summary: "Report von WatchTower Labs ergänzt", }, ], status: "final", version: "4", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "PaloAlto Networks PAN-OS", product: { name: "PaloAlto Networks PAN-OS", product_id: "T038888", product_identification_helper: { cpe: "cpe:/o:paloaltonetworks:pan-os:-", }, }, }, { category: "product_version_range", name: "<11.2.4-h1", product: { name: "PaloAlto Networks PAN-OS <11.2.4-h1", product_id: "T039225", }, }, { category: "product_version", name: "11.2.4-h1", product: { name: "PaloAlto Networks PAN-OS 11.2.4-h1", product_id: "T039225-fixed", product_identification_helper: { cpe: "cpe:/o:paloaltonetworks:pan-os:11.2.4-h1", }, }, }, { category: "product_version_range", name: "<11.1.5-h1", product: { name: "PaloAlto Networks PAN-OS <11.1.5-h1", product_id: "T039226", }, }, { category: "product_version", name: "11.1.5-h1", product: { name: "PaloAlto Networks PAN-OS 11.1.5-h1", product_id: "T039226-fixed", product_identification_helper: { cpe: "cpe:/o:paloaltonetworks:pan-os:11.1.5-h1", }, }, }, { category: "product_version_range", name: "<11.0.6-h1", product: { name: "PaloAlto Networks PAN-OS <11.0.6-h1", product_id: "T039227", }, }, { category: "product_version", name: "11.0.6-h1", product: { name: "PaloAlto Networks PAN-OS 11.0.6-h1", product_id: "T039227-fixed", product_identification_helper: { cpe: "cpe:/o:paloaltonetworks:pan-os:11.0.6-h1", }, }, }, { category: "product_version_range", name: "<10.2.12-h2", product: { name: "PaloAlto Networks PAN-OS <10.2.12-h2", product_id: "T039228", }, }, { category: "product_version", name: "10.2.12-h2", product: { name: "PaloAlto Networks PAN-OS 10.2.12-h2", product_id: "T039228-fixed", product_identification_helper: { cpe: "cpe:/o:paloaltonetworks:pan-os:10.2.12-h2", }, }, }, { category: "product_version_range", name: "<10.1.14-h6", product: { name: "PaloAlto Networks PAN-OS <10.1.14-h6", product_id: "T039229", }, }, { category: "product_version", name: "10.1.14-h6", product: { name: "PaloAlto Networks PAN-OS 10.1.14-h6", product_id: "T039229-fixed", product_identification_helper: { cpe: "cpe:/o:paloaltonetworks:pan-os:10.1.14-h6", }, }, }, ], category: "product_name", name: "PAN-OS", }, ], category: "vendor", name: "PaloAlto Networks", }, ], }, vulnerabilities: [ { cve: "CVE-2024-0012", notes: [ { category: "description", text: "In PaloAlto Networks PAN-OS gibt es mehrere Schwachstellen, die die Verwaltungsschnittstelle betreffen. Eine Umgehung der Authentifizierung ermöglicht es einem anonymen Angreifer, sich Zugang zur Verwaltungsschnittstelle zu verschaffen. Die zweite Schwachstelle ist eine Privilegienerweiterung, die es dem Angreifer ermöglicht, Aktionen auf der Firewall mit Root-Rechten durchzuführen. Ein entfernter, anonymer Angreifer kann diese Schwachstellen in Kombination ausnutzen, um die Kontrolle über die betroffenen Systeme zu übernehmen, insbesondere wenn die Verwaltungsschnittstelle mit nicht vertrauenswürdigen Netzwerken verbunden ist.", }, ], product_status: { known_affected: [ "T039227", "T039226", "T038888", "T039229", "T039228", "T039225", ], }, release_date: "2024-11-10T23:00:00.000+00:00", title: "CVE-2024-0012", }, { cve: "CVE-2024-9474", notes: [ { category: "description", text: "In PaloAlto Networks PAN-OS gibt es mehrere Schwachstellen, die die Verwaltungsschnittstelle betreffen. Eine Umgehung der Authentifizierung ermöglicht es einem anonymen Angreifer, sich Zugang zur Verwaltungsschnittstelle zu verschaffen. Die zweite Schwachstelle ist eine Privilegienerweiterung, die es dem Angreifer ermöglicht, Aktionen auf der Firewall mit Root-Rechten durchzuführen. Ein entfernter, anonymer Angreifer kann diese Schwachstellen in Kombination ausnutzen, um die Kontrolle über die betroffenen Systeme zu übernehmen, insbesondere wenn die Verwaltungsschnittstelle mit nicht vertrauenswürdigen Netzwerken verbunden ist.", }, ], product_status: { known_affected: [ "T039227", "T039226", "T038888", "T039229", "T039228", "T039225", ], }, release_date: "2024-11-10T23:00:00.000+00:00", title: "CVE-2024-9474", }, ], }
cve-2024-0012
Vulnerability from cvelistv5
Published
2024-11-18 15:47
Modified
2024-11-29 16:08
Severity ?
Summary
An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474 https://security.paloaltonetworks.com/CVE-2024-9474 .
The risk of this issue is greatly reduced if you secure access to the management web interface by restricting access to only trusted internal IP addresses according to our recommended best practice deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 .
This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, PAN-OS 11.1, and PAN-OS 11.2 software.
Cloud NGFW and Prisma Access are not impacted by this vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://security.paloaltonetworks.com/CVE-2024-0012 | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | Palo Alto Networks | Cloud NGFW | ||||||||||||
|
||||||||||||||
{ containers: { adp: [ { metrics: [ { other: { content: { id: "CVE-2024-0012", options: [ { Exploitation: "active", }, { Automatable: "yes", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-11-19T04:55:47.202753Z", version: "2.0.3", }, type: "ssvc", }, }, { other: { content: { dateAdded: "2024-11-18", reference: "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2024-0012", }, type: "kev", }, }, ], providerMetadata: { dateUpdated: "2024-11-29T16:08:34.490Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, references: [ { url: "https://labs.watchtowr.com/pots-and-pans-aka-an-sslvpn-palo-alto-pan-os-cve-2024-0012-and-cve-2024-9474/", }, ], title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-11-24T14:44:56.514Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { url: "https://unit42.paloaltonetworks.com/cve-2024-0012-cve-2024-9474/", }, ], title: "CVE Program Container", x_generator: { engine: "ADPogram 0.0.1", }, }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Cloud NGFW", vendor: "Palo Alto Networks", versions: [ { status: "unaffected", version: "All", }, ], }, { cpes: [ "cpe:2.3:o:paloaltonetworks:pan-os:11.2.4:-:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.2.3:-:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.2.2:h1:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.2.1:-:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.2.0:-:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.2:-:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.5:-:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h4:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h3:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h2:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:h1:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.4:-:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h10:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h9:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h8:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h7:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h6:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h5:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h4:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h3:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h2:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:h1:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.3:-:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h14:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h13:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h12:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h11:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h10:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h9:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h8:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h7:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h6:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h5:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h4:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h3:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h2:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:h1:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:-:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.1:h1:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.1:-:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:h3:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:h2:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:h1:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:-:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.1:-:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.0.6:-:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.0.5:h1:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.0.5:-:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:h5:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:h4:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:h3:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:h2:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:h1:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:-:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:h12:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:h11:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:h10:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:h9:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:h8:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:h7:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:h6:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:h5:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:h4:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:h3:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:h2:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:h1:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:-:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:h4:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:h3:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:h2:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:h1:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:-:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:h4:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:h3:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:h2:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:h1:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:-:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:h3:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:h2:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:h1:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:-:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:11.0:-:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.12:h1:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.12:-:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.11:h4:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.11:h3:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.11:h2:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.11:h1:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.11:-:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h7:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h6:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h5:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h4:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h3:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h2:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:h1:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.10:-:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h14:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h13:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h12:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h11:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h10:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h9:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h8:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h7:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h6:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h5:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h4:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h3:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h2:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h1:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:-:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h13:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h12:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h11:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h10:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h9:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h8:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h7:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h6:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h5:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h4:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h3:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h2:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h1:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:-:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h16:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h15:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h14:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h13:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h12:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h11:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h10:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h9:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h8:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h7:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h6:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h5:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h4:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h3:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h2:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h1:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:-:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.6:h3:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.6:h2:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.6:h1:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.6:-:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:h6:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:h5:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:h4:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:h3:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:h2:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:h1:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:-:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h16:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h15:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h14:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h13:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h12:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h11:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h10:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h9:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h8:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h7:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h6:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h5:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h4:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h3:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h2:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h1:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:-:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h13:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h12:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h11:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h10:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h9:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h8:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h7:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h6:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h5:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h4:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h3:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h2:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h1:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:-:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h5:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h4:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h3:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h2:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h1:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:-:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:h2:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:h1:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:-:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:h3:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:h2:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:h1:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:-:*:*:*:*:*:*", "cpe:2.3:o:paloaltonetworks:pan-os:10.2:-:*:*:*:*:*:*", ], defaultStatus: "unaffected", product: "PAN-OS", vendor: "Palo Alto Networks", versions: [ { changes: [ { at: "11.2.4-h1", status: "unaffected", }, ], lessThan: "11.2.4-h1", status: "affected", version: "11.2.0", versionType: "custom", }, { changes: [ { at: "11.1.5-h1", status: "unaffected", }, ], lessThan: "11.1.5-h1", status: "affected", version: "11.1.0", versionType: "custom", }, { changes: [ { at: "11.0.6-h1", status: "unaffected", }, ], lessThan: "11.0.6-h1", status: "affected", version: "11.0.0", versionType: "custom", }, { changes: [ { at: "10.2.12-h2", status: "unaffected", }, ], lessThan: "10.2.12-h2", status: "affected", version: "10.2.0", versionType: "custom", }, { status: "unaffected", version: "10.1.0", }, ], }, { defaultStatus: "unaffected", product: "Prisma Access", vendor: "Palo Alto Networks", versions: [ { status: "unaffected", version: "All", }, ], }, ], configurations: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p><span>The risk is greatest if you configure the management interface to enable access from the internet or any untrusted network either:</span></p><ol><li><span>Directly<br /></span>or</li><li>Through a dataplane interface that includes a management interface profile.</li></ol><p><span>The risk is greatly reduced if you make sure that only trusted internal IP addresses are allowed to access the management interface.</span></p><p><span>Use the following steps to identify your recently detected devices in our Internet scans:</span></p><ol><li><span>To find your known assets that require remediation action, visit the Assets section of Customer Support Portal at </span><a target=\"_blank\" href=\"https://support.paloaltonetworks.com/\"><span>https://support.paloaltonetworks.com</span></a> <span>(Products → Assets → All Assets → Remediation Required).</span></li><li>The list of your known devices with an internet-facing management interface discovered in our scans are tagged with PAN-SA-2024-0015 with a last seen timestamp in UTC. If no such devices are listed, it indicates our scan did not find any devices with internet-facing management interface for your account in the last three days.</li></ol>", }, ], value: "The risk is greatest if you configure the management interface to enable access from the internet or any untrusted network either:\n\n * Directly\nor\n * Through a dataplane interface that includes a management interface profile.\nThe risk is greatly reduced if you make sure that only trusted internal IP addresses are allowed to access the management interface.\n\nUse the following steps to identify your recently detected devices in our Internet scans:\n\n * To find your known assets that require remediation action, visit the Assets section of Customer Support Portal at https://support.paloaltonetworks.com https://support.paloaltonetworks.com/ (Products → Assets → All Assets → Remediation Required).\n * The list of your known devices with an internet-facing management interface discovered in our scans are tagged with PAN-SA-2024-0015 with a last seen timestamp in UTC. If no such devices are listed, it indicates our scan did not find any devices with internet-facing management interface for your account in the last three days.", }, ], credits: [ { lang: "en", type: "finder", value: "Palo Alto Networks thanks our Deep Product Security Research Team for discovering this issue internally from threat activity.", }, ], datePublic: "2024-11-18T14:20:00.000Z", descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like <a target=\"_blank\" rel=\"nofollow\" href=\"https://security.paloaltonetworks.com/CVE-2024-9474\">CVE-2024-9474</a>.</p><p>The risk of this issue is greatly reduced if you secure access to the management web interface by restricting access to only trusted internal IP addresses according to our recommended <a target=\"_blank\" rel=\"nofollow\" href=\"https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431\">best practice deployment guidelines</a>.</p><p>This issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, PAN-OS 11.1, and PAN-OS 11.2 software.</p><p>Cloud NGFW and Prisma Access are not impacted by this vulnerability.</p>", }, ], value: "An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474 https://security.paloaltonetworks.com/CVE-2024-9474 .\n\nThe risk of this issue is greatly reduced if you secure access to the management web interface by restricting access to only trusted internal IP addresses according to our recommended best practice deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 .\n\nThis issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, PAN-OS 11.1, and PAN-OS 11.2 software.\n\nCloud NGFW and Prisma Access are not impacted by this vulnerability.", }, ], exploits: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<span>Palo Alto Networks observed threat activity that exploits this vulnerability against a limited number of management web interfaces that are exposed to internet traffic coming from outside the network.</span><br />", }, ], value: "Palo Alto Networks observed threat activity that exploits this vulnerability against a limited number of management web interfaces that are exposed to internet traffic coming from outside the network.", }, ], impacts: [ { capecId: "CAPEC-115", descriptions: [ { lang: "en", value: "CAPEC-115 Authentication Bypass", }, ], }, ], metrics: [ { cvssV4_0: { Automatable: "NO", Recovery: "USER", Safety: "NOT_DEFINED", attackComplexity: "LOW", attackRequirements: "NONE", attackVector: "NETWORK", baseScore: 9.3, baseSeverity: "CRITICAL", privilegesRequired: "NONE", providerUrgency: "RED", subAvailabilityImpact: "NONE", subConfidentialityImpact: "LOW", subIntegrityImpact: "NONE", userInteraction: "NONE", valueDensity: "CONCENTRATED", vectorString: "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:N/SA:N/AU:N/R:U/V:C/RE:H/U:Red", version: "4.0", vulnAvailabilityImpact: "HIGH", vulnConfidentialityImpact: "HIGH", vulnIntegrityImpact: "HIGH", vulnerabilityResponseEffort: "HIGH", }, format: "CVSS", scenarios: [ { lang: "en", value: "The risk is highest when you allow access to the management interface from external IP addresses on the internet.", }, ], }, { cvssV4_0: { Automatable: "NO", Recovery: "USER", Safety: "NOT_DEFINED", attackComplexity: "LOW", attackRequirements: "PRESENT", attackVector: "NETWORK", baseScore: 5.9, baseSeverity: "MEDIUM", privilegesRequired: "HIGH", providerUrgency: "RED", subAvailabilityImpact: "NONE", subConfidentialityImpact: "NONE", subIntegrityImpact: "NONE", userInteraction: "NONE", valueDensity: "CONCENTRATED", vectorString: "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/AU:N/R:U/V:C/RE:H/U:Red", version: "4.0", vulnAvailabilityImpact: "NONE", vulnConfidentialityImpact: "NONE", vulnIntegrityImpact: "HIGH", vulnerabilityResponseEffort: "HIGH", }, format: "CVSS", scenarios: [ { lang: "en", value: "If you configure restricted access to a jump box that is the only system allowed to access the management interface, you greatly reduce the risk of exploitation because attacks would require privileged access using only those IP addresses.", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-306", description: "CWE-306 Missing Authentication for Critical Function", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-11-18T15:47:41.407Z", orgId: "d6c1279f-00f6-4ef7-9217-f89ffe703ec0", shortName: "palo_alto", }, references: [ { tags: [ "vendor-advisory", ], url: "https://security.paloaltonetworks.com/CVE-2024-0012", }, ], solutions: [ { lang: "eng", supportingMedia: [ { base64: false, type: "text/html", value: "<p>We strongly recommend that you secure access to your management interface following the instructions in the workarounds section below.</p><p><span>This issue is fixed in PAN-OS 10.2.12-h2, PAN-OS 11.0.6-h1, PAN-OS 11.1.5-h1, PAN-OS 11.2.4-h1, and all later PAN-OS versions.</span></p><p><span>In addition, in an attempt to provide the most seamless upgrade path for our customers, we are making fixes available for other TAC-preferred and commonly deployed maintenance releases.</span></p><div><div><ul><li>Additional PAN-OS 11.2 fixes:<ul><li>11.2.0-h1</li><li>11.2.1-h1</li><li>11.2.2-h2</li><li>11.2.3-h3</li><li>11.2.4-h1</li></ul></li><li>Additional PAN-OS 11.1 fixes:<ul><li>11.1.0-h4</li><li>11.1.1-h2</li><li>11.1.2-h15</li><li>11.1.3-h11</li><li>11.1.4-h7</li><li>11.1.5-h1</li></ul></li><li>Additional PAN-OS 11.0 fixes:<ul><li>11.0.0-h4</li><li>11.0.1-h5</li><li>11.0.2-h5</li><li>11.0.3-h13</li><li>11.0.4-h6</li><li>11.0.5-h2</li><li>11.0.6-h1</li></ul></li><li>Additional PAN-OS 10.2 fixes:<ul><li>10.2.0-h4</li><li>10.2.1-h3</li><li>10.2.2-h6</li><li>10.2.3-h14</li><li>10.2.4-h32</li><li>10.2.5-h9</li><li>10.2.6-h6</li><li>10.2.7-h18</li><li>10.2.8-h15</li><li>10.2.9-h16</li><li>10.2.10-h9</li><li>10.2.11-h6</li><li>10.2.12-h2</li></ul></li></ul></div></div>", }, ], value: "We strongly recommend that you secure access to your management interface following the instructions in the workarounds section below.\n\nThis issue is fixed in PAN-OS 10.2.12-h2, PAN-OS 11.0.6-h1, PAN-OS 11.1.5-h1, PAN-OS 11.2.4-h1, and all later PAN-OS versions.\n\nIn addition, in an attempt to provide the most seamless upgrade path for our customers, we are making fixes available for other TAC-preferred and commonly deployed maintenance releases.\n\n * Additional PAN-OS 11.2 fixes: * 11.2.0-h1\n * 11.2.1-h1\n * 11.2.2-h2\n * 11.2.3-h3\n * 11.2.4-h1\n\n\n\n * Additional PAN-OS 11.1 fixes: * 11.1.0-h4\n * 11.1.1-h2\n * 11.1.2-h15\n * 11.1.3-h11\n * 11.1.4-h7\n * 11.1.5-h1\n\n\n\n * Additional PAN-OS 11.0 fixes: * 11.0.0-h4\n * 11.0.1-h5\n * 11.0.2-h5\n * 11.0.3-h13\n * 11.0.4-h6\n * 11.0.5-h2\n * 11.0.6-h1\n\n\n\n * Additional PAN-OS 10.2 fixes: * 10.2.0-h4\n * 10.2.1-h3\n * 10.2.2-h6\n * 10.2.3-h14\n * 10.2.4-h32\n * 10.2.5-h9\n * 10.2.6-h6\n * 10.2.7-h18\n * 10.2.8-h15\n * 10.2.9-h16\n * 10.2.10-h9\n * 10.2.11-h6\n * 10.2.12-h2", }, ], source: { advisory: "PAN-SA-2024-0015", discovery: "EXTERNAL", }, timeline: [ { lang: "en", time: "2024-11-18T14:20:00.000Z", value: "CVE-2024-0012 assigned to this publication as the vulnerability is identified and fixed", }, { lang: "en", time: "2024-11-15T22:00:00.000Z", value: "Answered a FAQ about indicators of compromise", }, { lang: "en", time: "2024-11-14T22:18:00.000Z", value: "Raised the severity of PAN-SA-2024-0015 bulletin as we have observed threat activity", }, { lang: "en", time: "2024-11-11T01:03:00.000Z", value: "Added instructions to find your devices with an internet-facing management interface discovered in our scans", }, { lang: "en", time: "2024-11-08T13:00:00.000Z", value: "Initially published as PAN-SA-2024-0015", }, ], title: "PAN-OS: Authentication Bypass in the Management Web Interface (PAN-SA-2024-0015)", workarounds: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p><span>Recommended mitigation—The vast majority of firewalls already follow Palo Alto Networks and industry best practices. However, if you haven’t already, we strongly recommend that you secure access to your management interface according to our best practice deployment guidelines. Specifically, you should restrict access to the management interface to only trusted internal IP addresses to prevent external access from the internet.</span></p><p><span>Additionally, if you have a Threat Prevention subscription, you can block these attacks using Threat IDs 95746, 95747, 95752, 95753, 95759, and 95763 (available in Applications and Threats content version 8915-9075 and later). For these Threat IDs to protect against attacks for this vulnerability,</span></p><span><ul><li><span>Ensure that all the listed Threat IDs are set to block mode,</span></li><li><a target=\"_blank\" href=\"https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices#id59206398-3dab-4b2f-9b4b-7ea500d036ba\"><span>Route incoming traffic for the MGT port through a DP port</span></a><span>, e.g., enabling management profile on a DP interface for management access,</span></li><li><a target=\"_blank\" href=\"https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices#id112f7714-8995-4496-bbf9-781e63dec71c\"><span>Replace the Certificate for Inbound Traffic Management</span></a><span>,</span></li><li><a target=\"_blank\" href=\"https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices#idbbd82587-17a2-42b4-9245-d3714e1e13a2\"><span>Decrypt inbound traffic to the management interface so the firewall can inspect it</span></a><span>, and</span></li><li>Enable threat prevention on the inbound traffic to management services.</li></ul></span><span>Review information about how to secure management access to your Palo Alto Networks firewalls:<br /><ul><li><span>Palo Alto Networks LIVEcommunity article: </span><a target=\"_blank\" href=\"https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431\"><span>https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431</span></a></li><li>Palo Alto Networks official and more detailed technical documentation: <a target=\"_blank\" href=\"https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices\"><span>https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices</span></a></li></ul></span>", }, ], value: "Recommended mitigation—The vast majority of firewalls already follow Palo Alto Networks and industry best practices. However, if you haven’t already, we strongly recommend that you secure access to your management interface according to our best practice deployment guidelines. Specifically, you should restrict access to the management interface to only trusted internal IP addresses to prevent external access from the internet.\n\nAdditionally, if you have a Threat Prevention subscription, you can block these attacks using Threat IDs 95746, 95747, 95752, 95753, 95759, and 95763 (available in Applications and Threats content version 8915-9075 and later). For these Threat IDs to protect against attacks for this vulnerability,\n\n * Ensure that all the listed Threat IDs are set to block mode,\n * Route incoming traffic for the MGT port through a DP port https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices#id59206398-3dab-4b2f-9b4b-7ea500d036ba , e.g., enabling management profile on a DP interface for management access,\n * Replace the Certificate for Inbound Traffic Management https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices#id112f7714-8995-4496-bbf9-781e63dec71c ,\n * Decrypt inbound traffic to the management interface so the firewall can inspect it https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices#idbbd82587-17a2-42b4-9245-d3714e1e13a2 , and\n * Enable threat prevention on the inbound traffic to management services.\n\n\nReview information about how to secure management access to your Palo Alto Networks firewalls:\n * Palo Alto Networks LIVEcommunity article: https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 \n * Palo Alto Networks official and more detailed technical documentation: https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices", }, ], }, }, cveMetadata: { assignerOrgId: "d6c1279f-00f6-4ef7-9217-f89ffe703ec0", assignerShortName: "palo_alto", cveId: "CVE-2024-0012", datePublished: "2024-11-18T15:47:41.407Z", dateReserved: "2023-11-09T18:56:17.699Z", dateUpdated: "2024-11-29T16:08:34.490Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
cve-2024-9474
Vulnerability from cvelistv5
Published
2024-11-18 15:48
Modified
2024-11-29 16:10
Severity ?
EPSS score ?
Summary
A privilege escalation vulnerability in Palo Alto Networks PAN-OS software allows a PAN-OS administrator with access to the management web interface to perform actions on the firewall with root privileges.
Cloud NGFW and Prisma Access are not impacted by this vulnerability.
References
| ▼ | URL | Tags |
|---|---|---|
| https://security.paloaltonetworks.com/CVE-2024-9474 | vendor-advisory |
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | Palo Alto Networks | Cloud NGFW | ||||||||||||
|
||||||||||||||
{ containers: { adp: [ { affected: [ { cpes: [ "cpe:2.3:o:paloaltonetworks:pan-os:-:*:*:*:*:*:*:*", ], defaultStatus: "unknown", product: "pan-os", vendor: "paloaltonetworks", versions: [ { lessThan: "11.2.4-h1", status: "affected", version: "11.2.0", versionType: "custom", }, { lessThan: "11.1.5-h1", status: "affected", version: "11.1.0", versionType: "custom", }, { lessThan: "11.0.6-h1", status: "affected", version: "11.0.0", versionType: "custom", }, { lessThan: "10.2.12-h2", status: "affected", version: "10.2.0", versionType: "custom", }, { lessThan: "10.1.14-h6", status: "affected", version: "10.1.0", versionType: "custom", }, ], }, ], metrics: [ { other: { content: { id: "CVE-2024-9474", options: [ { Exploitation: "active", }, { Automatable: "no", }, { "Technical Impact": "total", }, ], role: "CISA Coordinator", timestamp: "2024-11-19T04:55:45.920877Z", version: "2.0.3", }, type: "ssvc", }, }, { other: { content: { dateAdded: "2024-11-18", reference: "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2024-9474", }, type: "kev", }, }, ], providerMetadata: { dateUpdated: "2024-11-29T16:10:39.124Z", orgId: "134c704f-9b21-4f2e-91b3-4a467353bcc0", shortName: "CISA-ADP", }, references: [ { url: "https://labs.watchtowr.com/pots-and-pans-aka-an-sslvpn-palo-alto-pan-os-cve-2024-0012-and-cve-2024-9474/", }, { tags: [ "exploit", ], url: "https://github.com/k4nfr3/CVE-2024-9474", }, ], title: "CISA ADP Vulnrichment", }, { providerMetadata: { dateUpdated: "2024-11-24T14:45:36.690Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { url: "https://unit42.paloaltonetworks.com/cve-2024-0012-cve-2024-9474/", }, ], title: "CVE Program Container", x_generator: { engine: "ADPogram 0.0.1", }, }, ], cna: { affected: [ { defaultStatus: "unaffected", product: "Cloud NGFW", vendor: "Palo Alto Networks", versions: [ { status: "unaffected", version: "All", }, ], }, { defaultStatus: "unaffected", product: "PAN-OS", vendor: "Palo Alto Networks", versions: [ { changes: [ { at: "11.2.4-h1", status: "unaffected", }, ], lessThan: "11.2.4-h1", status: "affected", version: "11.2.0", versionType: "custom", }, { changes: [ { at: "11.1.5-h1", status: "unaffected", }, ], lessThan: "11.1.5-h1", status: "affected", version: "11.1.0", versionType: "custom", }, { changes: [ { at: "11.0.6-h1", status: "unaffected", }, ], lessThan: "11.0.6-h1", status: "affected", version: "11.0.0", versionType: "custom", }, { changes: [ { at: "10.2.12-h2", status: "unaffected", }, ], lessThan: "10.2.12-h2", status: "affected", version: "10.2.0", versionType: "custom", }, { changes: [ { at: "10.1.14-h6", status: "unaffected", }, ], lessThan: "10.1.14-h6", status: "affected", version: "10.1.0", versionType: "custom", }, ], }, { defaultStatus: "unaffected", product: "Prisma Access", vendor: "Palo Alto Networks", versions: [ { status: "unaffected", version: "All", }, ], }, ], configurations: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>The risk is greatest if you configure the management interface to enable access from the internet or any untrusted network either:</p><ol><li>Directly<br />or</li><li>Through a dataplane interface that includes a management interface profile.</li></ol><p>The risk is greatly reduced if you make sure that only trusted internal IP addresses are allowed to access the management interface.</p><p>Use the following steps to identify your recently detected devices in our Internet scans:</p><ol><li>To find your known assets that require remediation action, visit the Assets section of Customer Support Portal at <a target=\"_blank\" href=\"https://support.paloaltonetworks.com/\">https://support.paloaltonetworks.com</a> (Products → Assets → All Assets → Remediation Required).</li><li>The list of your known devices with an internet-facing management interface discovered in our scans are tagged with PAN-SA-2024-0015 with a last seen timestamp in UTC. If no such devices are listed, it indicates our scan did not find any devices with internet-facing management interface for your account in the last three days.</li></ol>", }, ], value: "The risk is greatest if you configure the management interface to enable access from the internet or any untrusted network either:\n\n * Directly\nor\n * Through a dataplane interface that includes a management interface profile.\nThe risk is greatly reduced if you make sure that only trusted internal IP addresses are allowed to access the management interface.\n\nUse the following steps to identify your recently detected devices in our Internet scans:\n\n * To find your known assets that require remediation action, visit the Assets section of Customer Support Portal at https://support.paloaltonetworks.com https://support.paloaltonetworks.com/ (Products → Assets → All Assets → Remediation Required).\n * The list of your known devices with an internet-facing management interface discovered in our scans are tagged with PAN-SA-2024-0015 with a last seen timestamp in UTC. If no such devices are listed, it indicates our scan did not find any devices with internet-facing management interface for your account in the last three days.", }, ], credits: [ { lang: "en", type: "finder", value: "Palo Alto Networks thanks our Deep Product Security Research Team for discovering this issue internally from threat activity.", }, ], datePublic: "2024-11-18T14:20:00.000Z", descriptions: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<p>A privilege escalation vulnerability in Palo Alto Networks PAN-OS software allows a PAN-OS administrator with access to the management web interface to perform actions on the firewall with root privileges.</p><p>Cloud NGFW and Prisma Access are not impacted by this vulnerability.</p>", }, ], value: "A privilege escalation vulnerability in Palo Alto Networks PAN-OS software allows a PAN-OS administrator with access to the management web interface to perform actions on the firewall with root privileges.\n\nCloud NGFW and Prisma Access are not impacted by this vulnerability.", }, ], exploits: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<span>Palo Alto Networks observed threat activity that exploits this vulnerability against a limited number of management web interfaces that are exposed to internet traffic coming from outside the network.</span><br />", }, ], value: "Palo Alto Networks observed threat activity that exploits this vulnerability against a limited number of management web interfaces that are exposed to internet traffic coming from outside the network.", }, ], impacts: [ { capecId: "CAPEC-88", descriptions: [ { lang: "en", value: "CAPEC-88 OS Command Injection", }, ], }, ], metrics: [ { cvssV4_0: { Automatable: "NO", Recovery: "USER", Safety: "NOT_DEFINED", attackComplexity: "LOW", attackRequirements: "NONE", attackVector: "NETWORK", baseScore: 6.9, baseSeverity: "MEDIUM", privilegesRequired: "HIGH", providerUrgency: "RED", subAvailabilityImpact: "NONE", subConfidentialityImpact: "NONE", subIntegrityImpact: "NONE", userInteraction: "NONE", valueDensity: "CONCENTRATED", vectorString: "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/AU:N/R:U/V:C/RE:H/U:Red", version: "4.0", vulnAvailabilityImpact: "NONE", vulnConfidentialityImpact: "NONE", vulnIntegrityImpact: "HIGH", vulnerabilityResponseEffort: "HIGH", }, format: "CVSS", scenarios: [ { lang: "en", value: "The risk is highest when you allow access to the management interface from external IP addresses on the internet. The worst impact is that a malicious administrator is able to tamper with the system integrity.", }, ], }, { cvssV4_0: { Automatable: "NO", Recovery: "USER", Safety: "NOT_DEFINED", attackComplexity: "LOW", attackRequirements: "PRESENT", attackVector: "NETWORK", baseScore: 5.9, baseSeverity: "MEDIUM", privilegesRequired: "HIGH", providerUrgency: "RED", subAvailabilityImpact: "NONE", subConfidentialityImpact: "NONE", subIntegrityImpact: "NONE", userInteraction: "NONE", valueDensity: "CONCENTRATED", vectorString: "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/AU:N/R:U/V:C/RE:H/U:Red", version: "4.0", vulnAvailabilityImpact: "NONE", vulnConfidentialityImpact: "NONE", vulnIntegrityImpact: "HIGH", vulnerabilityResponseEffort: "HIGH", }, format: "CVSS", scenarios: [ { lang: "en", value: "If you configure a specific list of IP addresses that only allow access to the management interface, you greatly reduce the risk of exploitation because attacks would require privileged access using only those IP addresses.", }, ], }, ], problemTypes: [ { descriptions: [ { cweId: "CWE-78", description: "CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", lang: "en", type: "CWE", }, ], }, ], providerMetadata: { dateUpdated: "2024-11-18T15:48:23.405Z", orgId: "d6c1279f-00f6-4ef7-9217-f89ffe703ec0", shortName: "palo_alto", }, references: [ { tags: [ "vendor-advisory", ], url: "https://security.paloaltonetworks.com/CVE-2024-9474", }, ], solutions: [ { lang: "eng", supportingMedia: [ { base64: false, type: "text/html", value: "<p>This issue is fixed in PAN-OS 10.1.14-h6, PAN-OS 10.2.12-h2, PAN-OS 11.0.6-h1, PAN-OS 11.1.5-h1, PAN-OS 11.2.4-h1, and all later PAN-OS versions.</p><p>In addition, in an attempt to provide the most seamless upgrade path for our customers, we are making fixes available for other TAC-preferred and commonly deployed maintenance releases.</p><div><ul><li>Additional PAN-OS 11.2 fixes:<ul><li>11.2.0-h1</li><li>11.2.1-h1</li><li>11.2.2-h2</li><li>11.2.3-h3</li><li>11.2.4-h1</li></ul></li><li>Additional PAN-OS 11.1 fixes:<ul><li>11.1.0-h4</li><li>11.1.1-h2</li><li>11.1.2-h15</li><li>11.1.3-h11</li><li>11.1.4-h7</li><li>11.1.5-h1</li></ul></li><li>Additional PAN-OS 11.0 fixes:<ul><li>11.0.0-h4</li><li>11.0.1-h5</li><li>11.0.2-h5</li><li>11.0.3-h13</li><li>11.0.4-h6</li><li>11.0.5-h2</li><li>11.0.6-h1</li></ul></li><li>Additional PAN-OS 10.2 fixes:<ul><li>10.2.0-h4</li><li>10.2.1-h3</li><li>10.2.2-h6</li><li>10.2.3-h14</li><li>10.2.4-h32</li><li>10.2.5-h9</li><li>10.2.6-h6</li><li>10.2.7-h18</li><li>10.2.8-h15</li><li>10.2.9-h16</li><li>10.2.10-h9</li><li>10.2.11-h6</li><li>10.2.12-h2</li></ul></li><li>Additional PAN-OS 10.1 fixes:<ul><li>10.1.9-h14</li><li>10.1.10-h9</li><li>10.1.11-h10</li><li>10.1.12-h3</li><li>10.1.13-h5</li><li>10.1.14-h6</li></ul></li></ul></div>", }, ], value: "This issue is fixed in PAN-OS 10.1.14-h6, PAN-OS 10.2.12-h2, PAN-OS 11.0.6-h1, PAN-OS 11.1.5-h1, PAN-OS 11.2.4-h1, and all later PAN-OS versions.\n\nIn addition, in an attempt to provide the most seamless upgrade path for our customers, we are making fixes available for other TAC-preferred and commonly deployed maintenance releases.\n\n * Additional PAN-OS 11.2 fixes: * 11.2.0-h1\n * 11.2.1-h1\n * 11.2.2-h2\n * 11.2.3-h3\n * 11.2.4-h1\n\n\n\n * Additional PAN-OS 11.1 fixes: * 11.1.0-h4\n * 11.1.1-h2\n * 11.1.2-h15\n * 11.1.3-h11\n * 11.1.4-h7\n * 11.1.5-h1\n\n\n\n * Additional PAN-OS 11.0 fixes: * 11.0.0-h4\n * 11.0.1-h5\n * 11.0.2-h5\n * 11.0.3-h13\n * 11.0.4-h6\n * 11.0.5-h2\n * 11.0.6-h1\n\n\n\n * Additional PAN-OS 10.2 fixes: * 10.2.0-h4\n * 10.2.1-h3\n * 10.2.2-h6\n * 10.2.3-h14\n * 10.2.4-h32\n * 10.2.5-h9\n * 10.2.6-h6\n * 10.2.7-h18\n * 10.2.8-h15\n * 10.2.9-h16\n * 10.2.10-h9\n * 10.2.11-h6\n * 10.2.12-h2\n\n\n\n * Additional PAN-OS 10.1 fixes: * 10.1.9-h14\n * 10.1.10-h9\n * 10.1.11-h10\n * 10.1.12-h3\n * 10.1.13-h5\n * 10.1.14-h6", }, ], source: { discovery: "EXTERNAL", }, timeline: [ { lang: "en", time: "2024-11-18T14:00:00.000Z", value: "Initial publication", }, ], title: "PAN-OS: Privilege Escalation (PE) Vulnerability in the Web Management Interface", workarounds: [ { lang: "en", supportingMedia: [ { base64: false, type: "text/html", value: "<span>Recommended mitigation—The vast majority of firewalls already follow Palo Alto Networks and industry best practices. However, if you haven’t already, we strongly recommend that you secure access to your management interface according to our best practice deployment guidelines. Specifically, you should restrict access to the management interface to only trusted internal IP addresses to prevent external access from the internet.</span><br /><p><span>Review information about how to secure management access to your Palo Alto Networks firewalls:</span></p><span><ul><li><span>Palo Alto Networks LIVEcommunity article: </span><a target=\"_blank\" href=\"https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431\"><span>https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431</span></a></li><li>Palo Alto Networks official and more detailed technical documentation: <a target=\"_blank\" href=\"https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices\">https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices</a></li></ul></span>", }, ], value: "Recommended mitigation—The vast majority of firewalls already follow Palo Alto Networks and industry best practices. However, if you haven’t already, we strongly recommend that you secure access to your management interface according to our best practice deployment guidelines. Specifically, you should restrict access to the management interface to only trusted internal IP addresses to prevent external access from the internet.\nReview information about how to secure management access to your Palo Alto Networks firewalls:\n\n * Palo Alto Networks LIVEcommunity article: https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices", }, ], }, }, cveMetadata: { assignerOrgId: "d6c1279f-00f6-4ef7-9217-f89ffe703ec0", assignerShortName: "palo_alto", cveId: "CVE-2024-9474", datePublished: "2024-11-18T15:48:23.405Z", dateReserved: "2024-10-03T11:35:20.568Z", dateUpdated: "2024-11-29T16:10:39.124Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.