Right this moment, cybersecurity firm Palo Alto Networks warned prospects to limit entry to their next-generation firewalls due to a possible distant code execution vulnerability within the PAN-OS administration interface.
In a security advisory revealed on Friday, the corporate stated it would not but have extra data relating to this alleged security flaw and added that it has but to detect indicators of lively exploitation.
“Palo Alto Networks is conscious of a declare of a distant code execution vulnerability by way of the PAN-OS administration interface. Right now, we have no idea the specifics of the claimed vulnerability. We’re actively monitoring for indicators of any exploitation,” it stated.
“We strongly suggest prospects to make sure entry to your administration interface is configured appropriately in accordance with our really useful finest apply deployment pointers.
“Cortex Xpanse and Cortex XSIAM prospects with the ASM module can examine web uncovered situations by reviewing alerts generated by the Palo Alto Networks Firewall Admin Login assault floor rule.”
The corporate suggested prospects to dam entry from the Web to their firewalls’ PAN-OS administration interface and solely enable connections from trusted inside IP addresses.
In accordance with a separate assist doc on Palo Alto Networks’ group web site, admins may take a number of of the next measures to scale back the administration interface’s publicity:
- Isolate the administration interface on a devoted administration VLAN.
- Use leap servers to entry the mgt IP. Customers authenticate and connect with the leap server earlier than logging in to the firewall/Panorama.
- Restrict inbound IP addresses to your mgt interface to accepted administration gadgets. This may scale back the assault floor by stopping entry from surprising IP addresses and prevents entry utilizing stolen credentials.
- Solely allow secured communication similar to SSH, HTTPS.
- Solely enable PING for testing connectivity to the interface.
Essential lacking authentication flaw exploited in assaults
On Thursday, CISA additionally warned of ongoing assaults exploiting a vital lacking authentication vulnerability in Palo Alto Networks Expedition tracked as CVE-2024-5910. This security flaw was patched in July and risk actors can remotely exploit it to reset software admin credentials on Web-exposed Expedition servers.
Whereas CISA did not present extra particulars on these assaults, Horizon3.ai vulnerability researcher Zach Hanley launched a proof-of-concept exploit final month that chains it with a command injection vulnerability (tracked as CVE-2024-9464) to realize “unauthenticated” arbitrary command execution on weak Expedition servers.
CVE-2024-9464 can be chained with different security flaws—addressed by Palo Alto Networks in October—to take over admin accounts and hijack PAN-OS firewalls.
The U.S. cybersecurity company additionally added the CVE-2024-5910 vulnerability to its Identified Exploited Vulnerabilities Catalog, ordering federal companies to safe their techniques in opposition to assaults inside three weeks, by November 28.
“Some of these vulnerabilities are frequent assault vectors for malicious cyber actors and pose vital dangers to the federal enterprise,” warned CISA.
