Vulnerability Notice: CVE-2024-9474

Description

A critical privilege escalation vulnerability has been identified in the web management interface of Palo Alto Networks PAN-OS software. This vulnerability allows a PAN-OS administrator with access to the management web interface to perform actions on the firewall with root privileges. Notably, the Cloud NGFW and Prisma Access products are not impacted by this vulnerability.

 

Affected Product(s)

• Palo Alto Networks PAN-OS 10.1.0 to 10.1.14, PAN-OS 10.2.0 to 10.2.12, PAN-OS 11.0.0 to 11.0.6, PAN-OS 11.1.0 to 11.1.5, PAN-OS 11.2.0 to 11.2.4

 

Technical Details

In Palo Alto Networks PAN-OS, a significant vulnerability (CVE-2024-9474) has been identified. This privilege escalation vulnerability exists in the management web interface and allows administrators to execute actions on the firewall with root privileges.

This issue has been classified under the CWE-78 “Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)” category, indicating that attackers could manipulate OS commands through the vulnerable web interface. PAN-OS software runs on Palo Alto Networks firewalls, which are critical for enterprise security infrastructure.

Multiple versions are affected, specifically those released before certain patched versions, such as PAN-OS 10.1.14-h6, 10.2.12-h2, 11.0.6-h1, 11.1.5-h1, and 11.2.4-h1. The vulnerable versions include PAN-OS 10.1, 10.2, 11.0, 11.1, and 11.2 on PA-Series, VM-Series, and CN-Series firewalls, and Panorama (virtual and M-Series) and WildFire appliances.

This vulnerability is not present in Cloud NGFW and Prisma Access. The exploitation scenario leverages the vulnerability in the web management interface, enabling administrators to escalate their privileges to root. This can result in severe consequences, including unauthorized access and control over the firewalls. Moreover, threat actors may exploit this vulnerability in combination with other flaws, such as CVE-2024-0012, which enables authentication bypass.

Together, these vulnerabilities can facilitate a chain reaction leading to remote code execution (RCE). The authenticated PAN-OS administrator can execute arbitrary commands on the system by exploiting an OS command injection vulnerability in the PAN-OS web interface. This issue is rooted in improper input validation and sanitization mechanisms in the PAN-OS administrative interface. The vulnerability enables the injection of specially crafted commands, leading to the execution of these commands with root privileges.

Historically, Palo Alto Networks vulnerabilities have attracted significant interest from threat actors due to the critical nature of the firewalls they secure. Adversary groups have previously targeted similar vulnerabilities to gain unauthorized access and control over enterprise networks.

Fixes for this vulnerability have been released, including updates to the management interface code to improve input validation and command sanitization. The patches ensure that inputs are properly sanitized and restrict unauthorized command execution. To mitigate this issue, updating to the latest versions of PAN-OS is necessary.

System administrators should apply the available patches immediately to protect their systems from potential exploitation. In summary, the CVE-2024-9474 vulnerability in Palo Alto Networks PAN-OS is critical and can lead to severe security breaches if exploited. The availability of patches and mitigations highlights the importance of timely updates to safeguard against this threat.

 

Weakness

The weakness associated with this vulnerability is Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’). This weakness occurs when the software does not correctly sanitize input, allowing an attacker to inject and execute arbitrary commands with elevated privileges.

 

Impact Assessment

If exploited, this vulnerability could allow an attacker to gain unauthorized access to sensitive data or execute arbitrary code on the affected system. An attacker could execute commands with root privileges, compromising the integrity and security of the network infrastructure.

 

Active Exploitation

We have observed activity from adversary groups exploiting this vulnerability. Specifically, the adversary group LITTLELAMB.WOOLTEA has been seen deploying backdoor scripts on compromised Palo Alto Networks devices by exploiting CVE-2024-9474.

 

Ransomware Association

The vulnerability has been linked to ransomware attacks, specifically where adversaries use this privilege escalation flaw to gain initial access to systems and deploy ransomware payloads, leading to significant damage and ransom demands.

Mitigation and Resolution

We have released a patch that addresses this vulnerability. Please update to the following versions immediately:

• PAN-OS 10.1.14-h6
• PAN-OS 10.2.12-h2
• PAN-OS 11.0.6-h1
• PAN-OS 11.1.5-h1
• PAN-OS 11.2.4-h1

Additionally, ensure that management interfaces are not exposed to untrusted networks, including the internet.

 

Recommendations

• We strongly recommend that all customers apply the latest patch as soon as possible.
• Restrict access to the management web interface to trusted internal IP addresses only.
• Disable unnecessary services and ports to minimize the attack surface.
• Regularly review firewall logs and alerts for any suspicious activity.
• Implement strong, unique passwords for administrator accounts and enforce multi-factor authentication where possible.

 

 References 

• HKCERT Security Bulletin
• Zero Day Database
• CISA ICS Advisories
• CVE MITRE Details
• GitHub Details
• Palo Alto Networks Security
• NVD Details
• GitHub Details 2
• CVE-2024-0012 and CVE-2023-9474 Details
• Palo Alto Network Security 2
• Palo Alto CVE Details

 

View In Platform

• https://vi.securin.io/vulnerability/detail/cve-2024-9474