Initiatives pour
En tant qu'autorité nationale en matière de cybersécurité, le CCB a développé plusieurs initiatives destinées à des publics spécifiques, qui sont présentées ici.
WARNING: AUTHENTICATION BYPASS VULNERABILITY IN PAN-OS SOFTWARE, PATCH IMMEDIATELY!
Image
Publié : 14/02/2025
Reference:
Advisory #2025-36
Version:
3.0
Affected software:
Palo Alto Networks PAN-OS software:
PAN-OS 10.1: 10.1.14-h9
PAN-OS 10.2: 10.2.13-h3
PAN-OS 11.1: 11.1.6-h1
PAN-OS 11.2: 11.2.4-h4
Type:
Missing Authentication for Critical Function (CWE-306), authentication bypass, file read, and privilege escalation
CVE/CVSS:
CVE-2025-0108: CVSS-B: 8.8 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/AU:N/R:U/V:C/RE:M/U:Amber)Update 2025-02-20:CVE-2025-0111: CVSS-B: 7.1 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/AU:N/R:U/V:C/RE:M/U:Red)CVE-2024-9474: CVSS-B: 6.9 (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/AU:N/R:U/V:C/RE:H/U:Red) previously reported in advisory #2024-269Update 2025-02-21:CVE-2025-0110: CVSS-B: 8.6 (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/AU:N/R:U/V:C/RE:M/U:Amber)
Sources
Official Vendor: https://security.paloaltonetworks.com/CVE-2025-0108
Update 2025-02-20
- https://security.paloaltonetworks.com/CVE-2025-0111
- https://security.paloaltonetworks.com/CVE-2024-9474
Risks
Palo Alto Networks released a patch for an authentication bypass vulnerability in the management web interface of their PAN-OS software, which powers their next-generation firewalls. An unauthenticated attacker with network access to the management web interface can bypass authentication and invoke specific PHP scripts.
Update 2025-02-20
Initially it was thought that invoking these PHP scripts, does not enable an attacker to perform remote code execution. However, recent updates in the advisory explain that the vulnerability is being chained with CVE-2024-9474 and CVE-2025-0111 to achieve execution of administrator actions on the firewall. Furthermore, proof of concepts have been published for CVE-2024-9474, making it easier to exploit the vulnerability.
Update 2025-02-21
A Proof of Concept was published for the exploitation of CVE-2025-0110. This CVE is a vulnerability in the OpenConfig Plugin. Exploitation requires device administrator access. However, this can be obtained by chaining with other vulnerabilities.
Patching the vulnerabilities is highly recommended given the active exploitation and the severe impact those vulnerabilities can have on an organisation’s network. Note that the risk is higher if your management interface is exposed on the internet.
Description
CVE-2025-0108 Authentication Bypass CVSS-B 8.8
Due to a missing authentication for a critical function in the PAN-OS software, CWE-306, an unauthenticated attacker with access to the management web interface can bypass the required authentication. Palo Alto did not release technical details about this vulnerability.
Update 2025-02-20
CVE-2025-0111, CVSS-B 7.1
An authenticated attacker with access to the management web interface can read files on the PAN-OS filesystem that are readable by the “nobody” user.
CVE-2024-9474, CVSS-B 6.9
Previously reported vulnerability (see Advisory #2024-269), allows privilege escalation to the PAN-OS management interface, allowing an attacker to execute actions on the firewall with root privileges.
To exploit these vulnerabilities, an attacker needs access to the PAN-OS device's management interface, which should never be internet-facing, to reduce the attack vector.
Update 2025-02-21
CVE-2025-0110 CVSS-B 8.6
A vulnerability in PAN-OS OpenConfig allows an authenticated user to run arbitrary bash commands on the underlying OS via gnmi.Subscribe. The commands are run as device administrator.
Recommended Actions
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
- PAN-OS 10.1: Upgrade to 10.1.14-h9 or later
- PAN-OS 10.2: Upgrade to 10.2.13-h3 or later
- PAN-OS 11.0 (End-of-Life): Upgrade to a supported fixed version
- PAN-OS 11.1: Upgrade to 11.1.6-h1 or later
- PAN-OS 11.2: Upgrade to 11.2.4-h4 or later
Limit Exposure
The CCB recommends removing access from the internet to the PAN-OS management interface to significantly reduce the chances of exploitation for the mentioned vulnerabilities and any future ones.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via https://ccb.belgium.be/cert/report-incident.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
References
NIST NVD:
- https://nvd.nist.gov/vuln/detail/CVE-2025-0108
- https://nvd.nist.gov/vuln/detail/CVE-2025-0111
- https://nvd.nist.gov/vuln/detail/CVE-2024-9474
Cybersecuritynews - https://cybersecuritynews.com/google-released-poc-exploit-for-palo-alto-firewall/