Initiatives for
As the national authority for Cybersecurity the CCB has developed several initiatives for specific publics which are presented here.
WARNING: CRITICAL AUTHENTICATION BYPASS VULNERABILITY PATCHED BY PALO ALTO, PATCH IMMEDIATELY!
Image
Published : 19/11/2024
Reference:
Advisory #2024-269
Version:
1.1
Affected software:
Palo Alto PAN-OS
Type:
Authentication Bypass vulnerability
CVE/CVSS:
CVE-2024-0012: CVSS 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)CVE-2024-9474: CVSS 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
Sources
Palo Alto:
- https://security.paloaltonetworks.com/CVE-2024-0012
- https://security.paloaltonetworks.com/CVE-2024-9474
Risks
A critical authentication bypass vulnerability has been identified in Palo Alto Networks PAN-OS software, allowing an unauthenticated attacker with network access to the management web interface to gain administrator privileges. These privileges could enable the attacker to perform administrative actions, alter configurations, or exploit other privilege escalation vulnerabilities such as CVE-2024-9474.
This vulnerability has been assigned a CVSSv3 score of 9.8. The vulnerability can be chained with other recently published vulnerabilities to increase its impact.
Palo Alto Networks has observed threat actors exploiting this vulnerability in a number of cases where the management web interface is exposed to external internet traffic. Furthermore, CISA has added this vulnerability to its Known Exploited Vulnerabilities (KEV) list, emphasizing the importance of immediate remediation.
Update 2024-12-30:
Northwave published a report about a Chinese state-sponsored nexus which has been observed exploiting CVE-2024-9474 to deploy LITTLELAMB.WOOLTEA, a backdoor used to maintain access to enterprise networks in cyberespionage campaigns. See the original report from Northwave Cyber Security.
Description
CVE-2024-0012 is applicable to PAN-OS 10.2, PAN-OS 11.0, PAN-OS 11.1, and PAN-OS 11.2 software.
The risk of this issue is greatly reduced if you secure access to the management web interface by restricting access to only trusted internal IP addresses.
CVE-2024-9474 is a privilege escalation vulnerability in the PAN-OS Web Management Interface. It enables a PAN-OS administrator with access to the management web interface to execute actions on the firewall with root privileges. While this vulnerability requires administrator access, such access can potentially be gained by exploiting CVE-2024-0012.
Palo Alto recently fixed some other vulnerabilities as well. Some noteworthy firewall Denial of Service (DoS) vulnerabilities are:
- CVE-2024-2550
- CVE-2024-2551
- CVE-2024-9472
Vendor advisory: https://unit42.paloaltonetworks.com/cve-2024-0012-cve-2024-9474/
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/cert/report-incident.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
Palo Alto: https://unit42.paloaltonetworks.com/cve-2024-0012-cve-2024-9474
Tenable: https://www.tenable.com/cve/CVE-2024-0012
Northwave Cyber Security: https://northwave-cybersecurity.com/hubfs/LITTLELAMB WOOLTEA technical writeup Schrijver and Oudenaarden.pdf