How to find Palo Alto Network devices running PAN-OS

|
Updated

Latest Palo Alto Vulnerabilities #

Palo Alto Networks (PAN) has issued a security advisory for a vulnerability that allows an unauthenticated attacker with access to the system's management PAN-OS web interface to gain administrator privileges on the device. There is limited evidence that CVE-2024-0012 is being exploited in the wild. This vulnerability is rated as critical with a 9.3 CVSS score. 

What is the impact? #

An attacker that can access the web administration interface of a device running PAN-OS can gain administrative privileges on the system. This would allow the attacker control over the system, and additionally may allow the attacker paths to further exploits (for example, CVE-2024-9474).

Palo Alto has indicated that there is limited evidence of exploitation of this vulnerability in the wild. Palo Alto's Unit 42 research organization has authored a writeup on the vulnerability that includes some Indicators of Compromise (IoCs).

Note that CISA (the Cybersecurity and Infrastructure Security Agency) has added CVE-2024-0012 and CVE-2024-9474 to their Known Exploited Vulnerabilities catalog.

Are updates or workarounds available? #

Palo Alto has released updates to address this vulnerability, and strongly recommends that users update as quickly as possible. They also recommend that users restrict access to vulnerable systems' web interfaces as quickly as possible, and prior to applying any updates.

How to find PAN-OS systems on your network #

From the Asset Inventory you can use the following query to locate potentially vulnerable systems:

os:"PAN-OS"



CVE-2024-5910, CVE-2024-9463, and CVE-2024-9465 #

Palo Alto Networks (PAN) updated a security advisory advising customers to restrict access to the management interface of Next-Generation Firewalls (NGFW) due to an actively exploited zero-day vulnerability.

CISA announced that CVE-2024-5910, which was patched in July, is actively being exploited and was added to the Known Exploited Vulnerabilities (KEV) Catalog. Although not directly affecting PAN-OS, this vulnerability affects the Expedition migration tool, which could contain API keys, administrator credentials, and/or PAN-OS device configuration information.

Additionally, CISA announced that both CVE-2024-9463 (CVSS 9.9) and CVE-2024-9465 (CVSS 9.3) are actively being exploited and were also added to the Known Exploited Vulnerabilities (KEV) Catalog. Both vulnerabilities also affect the Expedition migration tool.

    What is the impact? #

    Although no specific details of a remote code execution vulnerability were disclosed within the advisory, Palo Alto is actively investigating an active exploitation of a zero-day vulnerability against the management interfaces of NGFWs exposed to the public Internet.

    CVE-2024-5910 allows for a remote attacker to reset application admin credentials on Expedition servers. Additionally, successful exploitation of the other two vulnerabilities above could allow for a remote attacker to execute arbitrary OS commands or reveal the contents of the underlying database.

    Are updates or workarounds available? #

    Within the advisory, Palo Alto recommends restricting access to the management interface. Additionally, they advise following a set of best practices to secure the management interface. 

    Palo Alto Networks released a patch for CVE-2024-5910 in July.

    How to find PAN-OS systems on your network #

    From the Asset Inventory you can use the following query to locate potentially vulnerable systems:

    os:"PAN-OS" type:"Firewall"
    

    How to find Expedition servers on your network #

    From the Service Inventory you can use the following query to locate potentially vulnerable systems:

    html.title:="Expedition Project"
    

    October 10, 2024 vulnerabilities #

    Palo Alto Networks (PAN) released a security advisory with multiple vulnerabilities on PAN-OS firewalls that could lead to admin account takeover.

    • CVE-2024-9463 is rated critical with CVSS score of 9.9, is an OS command injection vulnerability and potentially allows for  and execution of OS commands as root.
    • CVE-2024-9464 is rated critical with CVSS score of 9.3, is an OS command injection vulnerability and potentially allows for the execution of OS commands as root.
    • CVE-2024-9465 is rated critical with CVSS score of 9.2, is a SQL injection vulnerability and potentially allows a remote unauthenticated attacker to read the contents of the Expedition database.
    • CVE-2024-9466 is rated high with CVSS score of 8.2, and potentially allows for an authenticated user to read sensitive information including passwords and API keys.
    • CVE-2024-9467 is rated high with CVSS score of 7.0, is an XSS vulnerability and potentially allows for execution of malicious JavaScript code that could result in session hijacking.

    If chained together through an exploit, a firewall running the vulnerable software could be completely taken over by an unauthenticated remote attacker. For more information, the team that disclosed the vulnerabilities to Palo Alto Networks, published a detailed analysis. According to the vendor, there was no known malicious exploitation of vulnerable systems at the time.

    According to Palo Alto Networks, "The fixes for all listed issues are available in Expedition 1.2.96, and all later Expedition versions." They also recommended rotating all passwords and API keys after applying the latest patch to prevent future unauthorized access. Refer to the Workarounds and Mitigations section of the security advisory for information about potential workarounds and additional advice.


    CVE-2024-3400 #

    Palo Alto Networks (PAN) disclosed that certain versions of their PAN-OS software had a vulnerability that allowed for remote command injection.

    CVE-2024-3400 was rated critical with CVSS score of 9.8 and indicated an unauthenticated attacker could execute arbitrary code with root privileges on the firewall. The vendor indicated that there was evidence of limited exploitation in the wild.

    watchTowr posted a detailed analysis including the details needed for exploitation. This analysis covered two separate vulnerabilities; an arbitrary file creation vulnerability in the session handler, and a shell metacharacter injection issue that lead to remote execution through the telemetry script. PAN updated their guidance to state that "Disabling device telemetry is no longer an effective mitigation".

    The following PAN-OS versions were affected by this vulnerability.

    Version

    Affected

    Unaffected

    PAN-OS 11.1

    < 11.1.2-h3

    >= 11.1.2-h3 (hotfix ETA: By 4/14)

    PAN-OS 11.0

    < 11.0.4-h1

    >= 11.0.4-h1 (hotfix ETA: By 4/14)

    PAN-OS 10.2

    < 10.2.9-h1

    >= 10.2.9-h1 (hotfix ETA: By 4/14)

    Palo Alto Networks indicated that PAN-OS 11.1, 11.0, and 10.2 versions with the configurations for both GlobalProtect gateway and device telemetry enabled.

    Customers could verify this by checking for entries in the firewall web interface (Network > GlobalProtect > Gateways) and verify whether device telemetry was enabled by checking the firewall web interface (Device > Setup > Telemetry).

    Palo Alto Networks recommended that customers with a Threat Prevention subscription block attacks for this vulnerability by enabling Threat ID 95187 (introduced in Applications and Threats content version 8833-8682) and applying vulnerability protection to GlobalProtect interfaces.

    It was also recommended that telemetry be disabled until devices could be upgraded to an unaffected version of PAN-OS.

    Written by Blain Smith

    Blain Smith is a Security Research Engineer at runZero. He spent most of his career in cloud and distributed systems for AAA gaming, entertainment, and networking working on some of the most popular games and systems millions of people play and watch daily. He has given numerous talks at conferences such as TEDx, GopherCon, and P99CONF. His shift into infosec has afforded him the ability to apply his distributed systems and networking knowledge to other industries such as IoT and OT.

    More about Blain Smith

    Written by runZero Team

    Due to the nature of their research and out of respect for their privacy, runZero team members prefer to remain anonymous. Their work is published under the runZero name.

    More about runZero Team
    Subscribe Now

    Get the latest news and expert insights delivered in your inbox.

    Welcome to the club! Your subscription to our newsletter is successful.


    Related Articles

    Rapid Response
    How to find Go SSH servers on your network
    How to discover Go SSH instances on your network that may be vulnerable to CVE-2024-45337
    Rapid Response
    How to find Cleo Harmony, LexiCom, and VLTransfer installations on your network
    Cleo Software has disclosed CVE-2024-50623 affecting installations of Cleo Harmony, VLTransfer, and LexiCom on your network. Here's how to find...
    Rapid Response
    How to find Cisco NX-OS assets on your network
    Cisco has released an advisory for a vulnerability found within their NX-OS software. Here's how to find affected assets.
    Rapid Response
    How to find Citrix Virtual Apps and Desktops software on your network
    Citrix has released an advisory for two vulnerabilities affecting Citrix Virtual Apps and Desktops software.

    See Results in Minutes

    Get complete visibility into IT, OT, & IoT — without agents, credentials, or hardware.

    © Copyright 2024 runZero, Inc. All Rights Reserved