Number: AL24-011 Update 1
Updated: November 19, 2024
Date: November 15, 2024
Audience
This Alert is intended for IT professionals and managers.
Purpose
An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.
Update 1
On November 18, 2024, Palo Alto Networks (PAN) updated advisory PAN-SA-2024-0015 to include more details about the affected products. PAN has also published CVE-2024-0012 PAN-OS to identify an authentication bypass in the Web Management InterfaceFootnote 1. In addition, the company published CVE-2024-9474 PAN-OS related to a privilege escalation (PE) vulnerability in the Web Management InterfaceFootnote 2.
The Cyber Centre has included the details of the affected products under Suggested Actions below.
CISA added CVE-2024-0012 and CVE-2024-9474 to their Known Exploited Vulnerabilities (KEV) Catalog on the same dateFootnote 4.
Details
On November 8, 2024, Palo Alto Networks (PAN) published an advisory (PAN-SA-2024-0015) regarding a claim of exploitation that the vendor was investigating. On November 14, 2024, PAN updated the advisory to confirm that malicious activity has been observed targeting a limited number of PAN firewall management interfaces that are exposed to the InternetFootnote 5.
The vendor confirms in the updated advisory that malicious actors have been observed exploiting an as-yet undisclosed unauthenticated remote command execution (RCE) vulnerability. It bears repeating that this is active exploitation by malicious actors.
The Cyber Centre notes that the vendor has also updated advisory PAN-SA-2024-0010 ("Multiple Vulnerabilities in Expedition Lead to Exposure of Firewall Credentials")Footnote 6Footnote 7. The PAN advisory explicitly states that multiple vulnerabilities in Palo Alto Networks Expedition led to exposure of firewall credentials.
Suggested actions
Update 1 November 19, 2024
The Cyber Centre strongly recommends that organizations patch affected devices to remediate these vulnerabilities. Consult the PAN “best practices” deployment guide to ensure secure configuration for PAN devices.Footnote 3
- Version: Cloud NGFW
- Affected: none
- Unaffected: all
- Version: PAN-OS 11.2
- Affected: < 11.2.4-h1
- Unaffected: >= 11.2.4-h1
- Version: PAN-OS 11.1
- Affected: < 11.1.5-h1
- Unaffected: >= 11.1.5-h1
- Version: PAN-OS 11.0
- Affected: < 11.0.6-h1
- Unaffected: >= 11.0.6-h1
- Version: PAN-OS 10.2
- Affected: < 10.2.12-h1
- Unaffected: >= 10.2.12-h1
- Version: PAN-OS 10.1
- Affected: none
- Unaffected: all
- Version: Cloud Prisma Access
- Affected: none
- Unaffected: all
End of update 1
It is imperative that organizations review the inventory of PAN devices and applications in their networks and verify whether these products require patching and/or further recommended mitigations.
Organizations can verify whether they have any firewall management interfaces exposed to the Internet by consulting the Palo Alto Customer Support Portal (Products > Assets > All Assets > Remediation Required)Footnote 8.
Devices and applications should then be configured according to the vendor's recommended best practicesFootnote 9.
Organizations should also review and implement the Cyber Centre's Top 10 IT Security ActionsFootnote 10 with an emphasis on the following topics:
- consolidating, monitoring, and defending Internet gateways
- patching operating systems and applications
- isolating Web-facing applications
If activity matching the content of this alert is discovered, recipients are encouraged to report via the My Cyber Portal, or email contact@cyber.gc.ca.