Help
Lacework
Access helpful articles and other FAQs on Lacework
mary
Staff
Staff

Created on ‎11-26-2024 08:18 AM

Article Id 359955

Outbreak Alert: PAN-OS Vulnerabilities (CVE-2024-0012 and CVE-2024-9474)

Description Two critical vulnerabilities, CVE-2024-0012 and CVE-2024-9474 have been disclosed in Palo Alto Networks’ PAN-OS software. These vulnerabilities enable attackers to bypass authentication, escalate privileges, and achieve remote code execution. Active exploitation of these vulnerabilities in the wild underscores the urgency for organizations to address this threat and secure their cloud and hybrid environments.

CVE-2024-0012: Authentication Bypass

  • Severity: Critical
  • Impact: Allows unauthenticated attackers to access the PAN-OS management interface, bypassing authentication entirely.
  • Exploitation: An attacker gains entry without credentials, exposing administrative functions.

CVE-2024-9474: Privilege Escalation

  • Severity: Critical
  • Impact: Elevates attacker privileges to administrator, enabling arbitrary actions such as modifying configurations or executing commands.

These vulnerabilities can be chained together, resulting in full administrative control of affected devices.
Scope

Both issues affect both physical and virtual PAN-OS deployments, organizations with internet-facing PAN-OS management interfaces are at the highest risk. To date, Lacework has not observed successful exploitation of these vulnerabilities in the cloud environments we monitor.

Observed Timeline: exploitation began on November 17, 2024, escalating after a proof-of-concept exploit was publicly released on November 19. Attackers have used these vulnerabilities to: 

  • Deploy web shells on compromised devices
  • Perform interactive command execution and deploy malicious payloads
  • Exploit misconfigured systems, resulting in data breaches and lateral movement within networks.
Solution

1. Patch Immediately

  • Update to the latest PAN-OS version released in November 2024 to address CVE-2024-0012 and CVE-2024-9474.

2. Restrict Access to Management Interfaces

  • Limit access to the PAN-OS management interface to trusted IP ranges.
  • Disable internet-facing interfaces wherever possible.

3. Enable Multi-Factor Authentication (MFA)

  • Enforce MFA for all administrative accounts to strengthen authentication mechanisms.

4. Monitor Continuously

  • Use Lacework’s anomaly detection capabilities to identify unauthorized activities, IoCs, and suspicious network traffic.
Indicators of Compromise (IoCs)

Unusual administrative actions, such as privilege escalations or configuration changes.

Outbound connections from PAN-OS devices to suspicious IP addresses.

Presence of unauthorized scripts, including web shells, on affected systems.
Additional Resources

Palo Alto Networks Security Advisories

Lacework FortiCNAPP Overview

Lacework FortiCNAPP Anomaly Detection Documentation

 

How Lacework FortiCNAPP can help

Enhanced Detection Capabilities

  • Cloud Environment Monitoring: Lacework FortiCNAPP offers agentless scanning to identify vulnerabilities and misconfigurations across cloud workloads and containers, providing a comprehensive view of your cloud environment's security posture.
  • Lateral Movement Detection: Lacework FortiCNAPP identifies unusual network activity or access patterns that may indicate an attacker attempting to move laterally within your cloud environment. 

Visualize and Prioritize Risks

  • Exposure Polygraph: map potential attack paths to highlight high-risk, publicly exposed assets.
  • Runtime Context Analysis: correlate vulnerability data with real-time activity for better prioritization.

Respond Quickly

  • Anomaly Detection: Receive alerts for privilege escalations, unexpected administrative actions, and network anomalies.

FAQs

Q: How does Lacework help detect active exploitation of these vulnerabilities?

Lacework’s anomaly detection identifies unusual behaviors and IoCs associated with exploitation, such as unauthorized administrative actions and suspicious outbound traffic.

Q: Are virtualized PAN-OS instances vulnerable?

Yes, both physical and virtual instances are affected. Ensure patches are applied across all deployments.

Q: Can Lacework assist in post-exploitation analysis?

Yes, Lacework’s runtime monitoring and Exposure Polygraph help analyze compromised systems and understand the attack paths used by adversaries.

Act Now

Address these vulnerabilities immediately by patching affected PAN-OS systems and leveraging Lacework FortiCNAPP to proactively monitor and secure your environment. #FortiCNAPP

92
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.