Palo Alto Networks has issued fixes for 2 actively exploited vulnerabilities that affect its firewalls and digital security home equipment. When mixed, the issues enable attackers to execute malicious code with the very best potential privileges on the underlying PAN-OS working system, taking full management of the units.
Palo Alto issued an advisory earlier this month warning clients it was investigating experiences of a possible distant code execution (RCE) vulnerability within the PAN-OS web-based administration interface and suggested them to comply with the really helpful steps to safe entry to that interface.
In its investigation, the corporate discovered that the RCE assault was the results of not one, however two vulnerabilities, each of which have been exploited in restricted assaults already towards units which have their administration interface uncovered to the web.
Authentication bypass and privilege escalation
The primary vulnerability (CVE-2024-0012) is rated vital with a rating of 9.3 out of 10. By exploiting this challenge, attackers can bypass authentication and acquire administrative privileges on the administration interface, enabling them to execute admin actions and alter configurations.
Whereas that is dangerous sufficient, it doesn’t straight result in a full system compromise until this performance could be leveraged to execute malicious code on the underlying working system.
It seems that attackers discovered such a manner through a second vulnerability (CVE-2024-9474), which allows anybody with administrative privileges on the internet interface to execute code on the Linux-based OS as root — the very best potential privilege.
Each vulnerabilities have an effect on PAN-OS 10.2, PAN-OS 11.0, PAN-OS 11.1, and PAN-OS 11.2, all of which have now obtained patches.
The issues have been trivial
Researchers from security agency watchTowr reverse-engineered Palo Alto’s patches to research each vulnerabilities and concluded that the issues have been the results of primary errors within the growth course of.
To confirm whether or not authentication is required for a person to entry a web page, the PAN OS administration interface checks whether or not the request’s X-Pan-Authcheck header is about to on or off. The Nginx proxy server that forwards requests to the Apache server that hosts the online utility routinely units X-Pan-Authcheck to on primarily based on the route of the request. In some situations, X-Pan-Authcheck is about to off as a result of the placement — for instance, the /unauth/ listing — is meant to be accessible with out authentication, however nearly the whole lot apart from /unauth/ ought to have the header set to on, which ought to consequence within the person being redirected to a login web page.
Nonetheless, watchTowr researchers discovered {that a} redirect script known as uiEnvSetup.php expects the HTTP_X_PAN_AUTHCHECK worth to be set to off, and if that is offered within the request, the server will simply settle for it.
“We merely… provide the off worth to the X-PAN-AUTHCHECK HTTP request header, and the server helpfully turns off authentication?!,” the researchers wrote of their report. “At this level, why is anybody stunned?”
The second bug can be trivial, being a command injection flaw that permits shell instructions to be handed as a username to a perform known as AuditLog.write(), which then passes the injected command to pexecute(). However the passing of the payload to this logging perform is definitely the results of a distinct performance that’s itself fairly scary, in accordance with the researchers.
The performance permits Palo Alto Panorama units to specify a person and person function that they want to impersonate, after which get hold of a completely authenticated PHP session ID for it with out having to produce a password or move two-factor authentication.
All collectively then, resulting from this software program design, the attacker can move a shell payload as a part of the username discipline to impersonate a selected person and function, which can then be handed to AuditLog.write() after which to pexecute(), leading to its execution on the underlying OS.
“It’s superb that these two bugs received right into a manufacturing equipment, amazingly allowed through the hacked-together mass of shell script invocations that lurk beneath the hood of a Palo Alto equipment,” they wrote of their evaluation.
Mitigation
Along with updating impacted firewalls to the newly launched variations, directors ought to prohibit entry to the administration interface to solely trusted inner IP addresses. The administration interface may also be remoted on a devoted administration VLAN or could be configured to be accessed by means of so-called soar servers that require separate authentication first.
Leaving PAN-OS administration interfaces uncovered to the web is very dangerous as this isn’t the primary, nor seemingly the final, RCE vulnerability to be present in such units. Earlier this 12 months, Palo Alto Networks patched a zero-day RCE flaw (CVE-2024-3400) in PAN-OS that was exploited by a nation-state risk actor.
Palo Alto Networks’ risk looking group is monitoring the exploitation exercise of CVE-2024-0012 and CVE-2024-9474 beneath the identify Operation Lunar Peak and has revealed indicators of compromise associated to it.
“This exercise has primarily originated from IP addresses identified to proxy/tunnel visitors for nameless VPN companies,” the group stated. “Noticed post-exploitation exercise contains interactive command execution and dropping malware, comparable to webshells, on the firewall.”
