Palo Alto reports two actively exploited flaws in PAN-OS

Two critical vulnerabilities have been discovered in Palo Alto Networks' PAN-OS software, with confirmed active exploitation in the wild. The vulnerabilities are part of a chained attack scenario that could lead to complete system compromise.

Vulnerability details

• CVE-2024-0012 (CVSS score 9.3), also tracked as PAN-SA-2024-0015 - Authentication bypass, enables unauthenticated attackers to gain administrator privileges.
• CVE-2024-9474 (CVSS score 6.9) - Privilege escalation, allows authenticated administrators to perform actions with root privileges. Affected versions:

Affected Products:

• PAN-OS versions 10.2, 11.0, 11.1, and 11.2 are vulnerable
• Cloud NGFW and Prisma Access are not affected

The exploitation campaign, dubbed "Operation Lunar Peek," has already been observed in the wild, with attackers executing commands interactively and deploying malware, including webshells, on compromised firewalls. Currently, approximately 8,726 IP addresses remain exposed to these vulnerabilities, down from about 11,000 initially identified instances. Threat actors have been utilizing IP addresses linked to anonymous VPN services, including 91.208.197[.]167 and 136.144.17[.]146, with a specific PHP webshell identified by the SHA256 hash: 3C5F9034C86CB1952AA5BB07B4F77CE7D8BB5CC9FE5C029A32C72ADC7E814668.

Palo Alto Networks has released patches and mitigation strategies to address these vulnerabilities. Organizations are strongly advised to

• apply available patches immediately,
• restrict management interface access to trusted internal IP addresses,
• implement  network segmentation,
• monitor for suspicious activities using provided IOCs.

Update - As of 20th of November 2024, Shadowserver foundation tracks ~2000 compromised instances, mostly in USA and India