Alert essentials:

Palo Alto Next-generation firewalls are being exploited to grant hackers system administrator privileges.

Deploy upgraded software or mitigations to vulnerable devices immediately.

 

Email Team

 

Detailed threat description:

Palo Alto Networks has disclosed that certain firewalls have been exploited in the wild. This flaw allows attackers to bypass authentication mechanisms on firewalls and gain unauthorized access to sensitive systems.

The exploitation is being leveraged against Next-Generation Firewalls management interfaces. A weakness in PAN-OS 10 and 11 software provides an unauthenticated attacker with administrator privileges to the management web interface. Once this level of access is achieved, the attacker may exfiltrate sensitive data and disrupt critical system functionality.

Observed post-exploitation activity includes interactive command execution and dropping malware, such as webshells, on the firewall.
This authentication bypass primarily originated from IP addresses known to proxy/tunnel traffic for anonymous VPN services.

Palo Alto Networks observed threat activity that exploits a limited number of management web interfaces exposed to internet traffic. Details on the attack vector indicate that the flaw affects SSL VPN and GlobalProtect portal configurations, making remote access services a potential target.

 

Impacts on healthcare organizations:

Healthcare organizations that rely on Palo Alto firewalls for perimeter security are at significant risk of attack.

The exploit allows unauthenticated attackers to access firewall configurations remotely, escalate privileges, and execute arbitrary code. This can result in unauthorized access to sensitive hospital networks, data exfiltration, and the disruption of critical medical systems.

 

Affected Products / Versions:

PAN-OS 10.2 software
PAN-OS 11.0 software
PAN-OS 11.1 software
PAN-OS 11.2 software

  • Risk is most significant if you configure the management interface to enable access from the internet or any untrusted network
  • Significantly reduce risk if only trusted internal IP addresses are allowed to access the management interface
  • Cloud NGFW and Prisma Access are not impacted

Work Arounds and mitigations

  • Secure access to management interfaces according to Palo Alto’s Best Practice deployment guidelines
  • Restrict access to the management interface to only trusted internal IP addresses to prevent external access from the internet
  • Ensure that all the listed Threat IDs are set to block mode
  • Route incoming traffic for the MGT port through a DP port, e.g., enabling management profile on a DP interface for management access
  • Replace the Certificate for Inbound Traffic Management
  • Decrypt inbound traffic to the management interface so the firewall can inspect it
  • Enable threat prevention on the inbound traffic to management services

Indicators of Compromise (IoCs)

  • 91.208.197[.]167
  • 136.144.17[.]146
  • 136.144.17[.]149
  • 136.144.17[.]154
  • 136.144.17[.]161
  • 136.144.17[.]164
  • 136.144.17[.]166
  • 136.144.17[.]167
  • 136.144.17[.]170
  • 136.144.17[.]176
  • 136.144.17[.]177
  • 136.144.17[.]178
  • 136.144.17[.]180
  • 173.239.218[.]251
  • 209.200.246[.]173
  • 209.200.246[.]184
  • 216.73.162[.]69
  • 216.73.162[.]71
  • 216.73.162[.]73
  • 216.73.162[.]74

Post-Exploitation Payloads

SHA256
3C5F9034C86CB1952AA5BB07B4F77CE7D8BB5CC9FE5C029A32C72ADC7E814668

Context

  • PHP webshell payload dropped on a compromised firewall

CVE

  • CVE-2024-0012
  • Palo Alto Internally tracks as PAN-SA-2024-0015
  • Palo Alto Threat IDs available in Applications and Threats content version 8915-9075 and later: 95746, 95747, 95752, 95753, 95759, and 95763

Recommendations

Engineering recommendations:

  • Monitor for unauthorized access attempts: Unusual login activity, especially on SSL VPN or GlobalProtect portals
  • IT teams are encouraged to thoroughly review their firewall logs, especially for activity between November 10–18, 2024, as the exploit has been seen in active use during this period
  • Restrict administrative access to firewalls via VPN-only access
  • Use multi-factor authentication (MFA) for all administrative accounts
  • Disable unused interfaces exposed to the internet
  • Implement SSL decryption to inspect inbound traffic to the GlobalProtect portal or gateway
  • Use Geo-IP blocking for non-essential countries where external users should not access the firewall
  • Monitor firewall traffic logs for anomalies (e.g., unusual requests to /global-protect/login.esp)
  • Keep all firewall and network appliances updated with the latest security patches


Leadership/ Program recommendations:

Reports indicate that critical infrastructure, including medical facilities, is a primary target due to their high data value and low downtime tolerance.

Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.


References: