11/20/2024: Palo Alto Exploit Chain to Remote Code Execution

Note: This Emerging Threat is also published in the new Fortra Security & Trust Center - the new location for all Emerging Threats beginning in January 2025. Refer to Emerging Threats Moving to Fortra.com for more information on following Emerging Threats in their new location. 

Fortra is actively researching new vulnerabilities in Palo Alto PAN-OS – CVE-2024-0012 and CVE-2024-9474. When combined, these two vulnerabilities allow for an exploit chain to achieve remote code execution. The first CVE allows an unauthenticated attacker with access to the web management interface to gain administrator privileges on the PAN-OS device, while the second CVE allows administrators to perform actions on the firewall with root privileges.

 Palo Alto has released fixed versions of PAN-OS to address these vulnerabilities, and customers are recommended to upgrade as soon as possible.

Who is affected?

The following versions of PAN-OS are affected by these vulnerabilities.

• 10.1
• 10.2
• 11.0
• 11.1
• 11.2

What can I do?

Palo Alto has released fixes to address these vulnerabilities. Customers should upgrade to one of the following fixed versions, based on their current version:

• For PAN-OS 10.1, upgrade to 10.1.14-h6 or higher
• For PAN-OS 10.2, upgrade to 10.2.12-h2 or higher
• For PAN-OS 11.0, upgrade to 11.0.6-h1 or higher
• For PAN-OS 11.1, upgrade to 11.1.5-h1 or higher
• For PAN-OS 11.2, upgrade to 11.2.4-h1 or higher

For more information about this vulnerability, refer to Palo Alto’s advisories for CVE-2024-0012 and CVE-2024-9474.

How is Fortra helping me?

Fortra is actively researching this threat to build detection capabilities in addition to those listed below.

Alert Logic Log Management: Alert Logic has deployed and is actively monitoring log telemetry related to known IOCs. 

Alert Logic Network IDS: Alert Logic released IDS signatures on November 20, 2024, to aid in detecting exploit attempts.

Alert Logic Vulnerability Scanning: Alert Logic released authenticated scan coverage on November 21, 2024, to identify these vulnerabilities.

Updates

Fortra has kicked off the Emerging Threats process for this vulnerability. This article will be updated with new information about this vulnerability and related security coverage as it becomes available.

11/20/2024: Alert Logic released IDS signatures and log telemetry to aid in detecting exploit attempts. 

11/21/2024: Alert Logic released authenticated scan coverage to identify these vulnerabilities.