CVE-2024-0012: Critical Authentication Bypass Vulnerability in PAN-OS

Palo Alto Networks has identified a critical authentication bypass vulnerability (CVE-2024-0012) affecting its PAN-OS software. This flaw allows unauthenticated attackers with network access to the management web interface to gain administrator privileges. Attackers can further perform administrative actions, and manipulate configurations.

This vulnerability specifically affects PAN-OS versions before 10.2, 11.0, 11.1, and 11.2. However, services like Cloud NGFW and Prisma Access are not impacted.

Administrators can check for affected devices by visiting the Assets section of the Palo Alto Networks Customer Support Portal. Devices with an exposed management interface will be tagged with PAN-SA-2024-0015.

Affected Versions & Mitigations

PAN-OS 11.2 versions < 12.2.4-h1  —> upgrade to >= 11.2.4-h1

PAN-OS 11.1 versions < 11.1.5-h1  —> upgrade to  >= 11.1.5-h1

PAN-OS 11.0 versions < 11.0.6-h1  —> upgrade to >= 11.0.6-h1

PAN-OS 10.2 versions < 10.2.12-h2  —> upgrade to >= 10.2.12-h2

For organizations unable to immediately update, the following measures are recommended:

• Ensure the management interface is restricted to trusted internal IP addresses.
• Utilize Threat Prevention subscriptions to block attacks associated with this vulnerability.
• Route management traffic through data plane interfaces for enhanced security.
• Implement monitoring to detect any suspicious activity or configuration changes.

Palo Alto recently published a list of IOCs that are being used in Threat Hunts for our customers. For further reference, Palo Alto’s advisory can be found here

‍