The Shadowserver Foundation on Nov. 20 reported that more than 2,000 Palo Alto Networks PAN-OS firewalls have been attacked since two security flaws – one of them critical – were reported on and patched earlier this month.
One security flaw was a critical 9.3 authentication bypass – CVE-2024-0012 – in the PAN-OS management web interface that remote attackers can potentially exploit to gain administrative privileges. The second bug – CVE-2024-9474 – is a medium severity 6.9 PAN-OS privilege escalation flaw that lets attackers run commands on firewalls with root privileges.
Recognizing that the two bugs chained together could allow for remote execution, the Cybersecurity and Infrastructure Security Agency (CISA) on Monday added both vulnerabilities to its Known Exploited Vulnerabilities Catalog. CISA is now requiring federal agencies to patch their firewalls by December 9, a move that CISA also encourages private sector organizations to follow.
As of 1:45 p.m. ET, an attempt to reach Palo Alto Networks for a comment on the most recent news involving the PAN-OS bugs was unsuccessful.
However, on Monday SC Media reported that Palo Alto Networks advised security teams to restrict access to the management interface to only trusted internal IP addresses to prevent external access from the Internet, adding that "the vast majority of firewalls already follow Palo Alto Networks and industry best practices"
The immediate danger with these bugs is that attackers exploiting these vulnerabilities can gain full control over affected firewalls, compromising the very systems designed to protect sensitive networks, explained Patrick Tiquet, vice president, security and architecture at Keeper Security.
“This opens the door for malware deployment, data theft, lateral movement within the network and even complete network shutdowns,” said Tiquet. “For organizations relying on these firewalls, this could mean business disruption, loss of sensitive data and exposure to regulatory and financial consequences.”
Tiquet added that beyond patching immediately, security teams must prioritize assessing the potential damage from compromised firewalls. This includes checking for unauthorized access, scanning for malware and reviewing configurations to ensure no additional vulnerabilities were introduced during the attack.
While patching all vulnerable PAN-OS devices is the first step, security teams also need to secure access to the management interface by restricting access only to trusted IP addresses, reducing the attack surface, said Mayuresh Dani, manager, security research at the Qualys Threat Research Unit.
“Sift through their installations and make sure none of the IOCs exist on their system,” said Dani. “If any of these exist, they should follow their organizational IR steps to remediate these devices."
Dani said teams should go through their installations and verify if they have not been altered in any way and undo those changes. If this cannot be done, teams should restore the last "known good" configuration update and verify that it's working properly. Dani added that any virtual PAN-OS versions should be strictly checked for "jump-to-host" exploit conditions and upgraded or decommissioned irrespectively.
