Palo Alto Networks fixes zero-day firewall vulnerabilities

Palo Alto Networks fixes zero-day firewall vulnerabilities

Palo Alto Networks fixes zero-day firewall vulnerabilities

The patches come days after Palo Alto Networks first learned of active mining in the wild.

Palo Alto Networks has fixed two zero-day vulnerabilities in its PAN-OS management web interface used in its next-generation firewalls.

The patches were released this week after Palo Alto Networks first revealed on November 8 that it had heard rumors of a new vulnerability affecting its firewalls.

Then, on November 14, Palo Alto Networks updated its advisory to add that it had “observed threat activity exploiting an unauthenticated remote command execution vulnerability against a limited number of wall management interfaces.” -fire exposed to the Internet”.

The vulnerabilities became official on November 18, when two CVEs were assigned: CVE-2024-0012 and CVE-2024-9474.

CVE-2024-0012 is an authentication bypass vulnerability that could allow an unauthenticated attacker with unrestricted access to the web interface to gain administrator-level privileges.

CVE-2024-9474 is an elevation of privilege vulnerability and, taken together, the two bugs could cause serious problems.

“Both vulnerabilities can be chained together by adversaries to bypass authentication on exposed management interfaces and escalate privileges,” Rapid7 researchers said in a blog post last updated on November 18.

“While neither advisory explicitly states that the impact of chaining the two vulnerabilities is completely unauthenticated remote code execution as root, it seems likely, based on the issue description and the inclusion of a web shell (payload) in IOCs, which adversaries might be able to reach [remote code execution].”

According to Palo Alto Networks, the zero-day vulnerabilities affected only a “very small number” of its firewalls and were only possible on unrestricted web interfaces.

“Palo Alto Networks has identified threat activity targeting a limited number of device management web interfaces. This activity primarily comes from IP addresses known for proxy/tunnel traffic for anonymous VPN services,” Palo Alto Networks said in a Nov. 18 blog post published by its Unit42 research team.

“Palo Alto Networks is still actively investigating and remediating this activity. Observed post-exploitation activity includes executing interactive commands and dropping malware, such as webshells, on the firewall.

Tesla recalls almost all vehicles sold in the United States to fix an Autopilot defect

Tesla recalls almost all vehicles sold in the United States to fix an Autopilot defect

Highly skilled tech freelancers are having a moment

Highly skilled tech freelancers are having a moment

Leave a Reply

Your email address will not be published. Required fields are marked *