Palo Alto Networks fixes two firewall zero-day vulnerabilities used in attacks.

Palo Alto Networks has finally published security upgrades to address two actively exploited zero-day vulnerabilities in its Next-Generation Firewalls.

The first weakness, identified as CVE-2024-0012, is an authentication bypass detected in the PAN-OS management web interface that remote attackers can utilize to get administrator capabilities without authentication or user input.

The second vulnerability (CVE-2024-9474) is a PAN-OS privilege escalation bug that allows hostile PAN-OS administrators to perform root-level activities on the firewall.

While CVE-2024-9474 was revealed today, the business first advised customers on November 8 to restrict access to their next-generation firewalls due to a suspected RCE weakness identified last Friday as CVE-2024-0012.

"Palo Alto Networks observed threat activity that exploits this vulnerability against a limited number of management web interfaces that are exposed to internet traffic coming from outside the network," the company stated today on the two zero-days.

"Palo Alto Networks has actively monitored and worked with customers to identify and further minimize the very small number of PAN-OS devices with management web interfaces exposed to the Internet or other untrusted networks," it stated in a separate report that included indicators of compromise for ongoing attacks targeting the flaws.

While the business claims that these zero-days affect just a "very small number" of firewalls, threat monitoring platform Shadowserver stated on Friday that it has identified over 8,700 vulnerable PAN-OS administrative interfaces.

Yutaka Sejiyama, a Macnica threat researcher, also told BleepingComputer that he discovered over 11,000 IP addresses running Palo Alto PAN-OS management interfaces published online via Shodan. According to Shodan, the United States has the most vulnerable devices, followed by India, Mexico, Thailand, and Indonesia.

The United States Cybersecurity Agency added the CVE-2024-0012 and CVE-2024-9474 vulnerabilities to its Known Exploited Vulnerabilities Catalog and directed federal agencies to patch their systems within three weeks of December 9.

CISA also warned in early November of ongoing attacks exploiting a critical missing authentication vulnerability (CVE-2024-5910) in the Palo Alto Networks Expedition firewall configuration migration tool, which was patched in July and can be remotely exploited by threat actors to reset application admin credentials on Internet-connected Expedition servers.

"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," the Center for International Affairs cautions.

Source: Bleeping Computer