FortiGuard Outbreak Alert: Palo Alto Networks Management Interface Attack

Description

Palo Alto Networks PAN-OS software is an OS that runs on Palo Alto Networks firewalls.

The management interface for PAN-OS is vulnerable to the following CVEs:

CVE-2024-0012 is an authentication bypass vulnerability in PAN-OS that allows unauthenticated attackers to gain administrator privileges.

CVE-2024-9474 is a privilege escalation vulnerability in PAN-OS that allows PAN-OS administrator to perform actions with root privileges.

The following versions of PAN-OS is vulnerable to CVE-2024-0012 and CVE-2024-9474:

PAN-OS 11.2: < 11.2.4-h1
PAN-OS 11.1: < 11.1.5-h1
PAN-OS 11.0: < 11.0.6-h1
PAN-OS 10.2: < 10.2.12-h2

CVE ID

CVE-2024-0012 (https://nvd.nist.gov/vuln/detail/CVE-2024-0012)
CVE-2024-9474 (https://nvd.nist.gov/vuln/detail/CVE-2024-9474)

NDR Cloud Detection Rule

Playbook

N/A

Threat Hunting

FortiNDR Cloud users can use the following IOCs from Fortinet to hunt for “Palo Alto Networks Management Interface Attack” related activities
IOC source: https://www.fortiguard.com/outbreak-alert/pan-os-management-interface-attack
All IOCs listed above have been added to Threat Intelligence Intel

Suricata Coverage

Customers can create custom investigation/detections using the Suricata signatures below:
2057705 -> ET WEB_SPECIFIC_APPS Palo Alto PAN-OS Authentication Bypass (CVE-2024-0012)
2057706 -> ET WEB_SPECIFIC_APPS Palo Alto PAN-OS Command Injection in User Parameter

Other Fortinet Products

For more details regarding mitigating the vulnerability by utilizing Fortinet products, please refer to
https://www.fortiguard.com/outbreak-alert/pan-os-management-interface-attack