Palo Alto Networks has issued fixes for 2 actively exploited vulnerabilities that affect its firewalls and digital safety home equipment. When mixed, the failings enable attackers to execute malicious code with the best potential privileges on the underlying PAN-OS working system, taking full management of the gadgets.
Palo Alto issued an advisory earlier this month warning clients it was investigating experiences of a possible distant code execution (RCE) vulnerability within the PAN-OS web-based administration interface and suggested them to observe the advisable steps to secure access to that interface.
In its investigation, the corporate discovered that the RCE assault was the results of not one, however two vulnerabilities, each of which have been exploited in restricted assaults already in opposition to gadgets which have their administration interface uncovered to the web.
Authentication bypass and privilege escalation
The primary vulnerability (CVE-2024-0012) is rated vital with a rating of 9.3 out of 10. By exploiting this difficulty, attackers can bypass authentication and achieve administrative privileges on the administration interface, enabling them to execute admin actions and alter configurations.
Whereas that is dangerous sufficient, it doesn’t instantly result in a full system compromise except this performance could be leveraged to execute malicious code on the underlying working system.
It seems that attackers discovered such a approach through a second vulnerability (CVE-2024-9474), which permits anybody with administrative privileges on the internet interface to execute code on the Linux-based OS as root — the best potential privilege.
Each vulnerabilities have an effect on PAN-OS 10.2, PAN-OS 11.0, PAN-OS 11.1, and PAN-OS 11.2, all of which have now obtained patches.
The issues had been trivial
Researchers from safety agency watchTowr reverse-engineered Palo Alto’s patches to research each vulnerabilities and concluded that the failings had been the results of primary errors within the improvement course of.
To confirm whether or not authentication is required for a person to entry a web page, the PAN OS administration interface checks whether or not the request’s X-Pan-Authcheck header is ready to on or off. The Nginx proxy server that forwards requests to the Apache server that hosts the net utility routinely units X-Pan-Authcheck to on primarily based on the route of the request. In some cases, X-Pan-Authcheck is ready to off as a result of the situation — for instance, the /unauth/ listing — is meant to be accessible with out authentication, however virtually every little thing aside from /unauth/ ought to have the header set to on, which ought to outcome within the person being redirected to a login web page.
Nonetheless, watchTowr researchers discovered {that a} redirect script referred to as uiEnvSetup.php expects the HTTP_X_PAN_AUTHCHECK worth to be set to off, and if that is supplied within the request, the server will simply settle for it.
“We merely… provide the off worth to the X-PAN-AUTHCHECK HTTP request header, and the server helpfully turns off authentication?!,” the researchers wrote of their report. “At this level, why is anybody shocked?”
The second bug can also be trivial, being a command injection flaw that enables shell instructions to be handed as a username to a perform referred to as AuditLog.write(), which then passes the injected command to pexecute(). However the passing of the payload to this logging perform is definitely the results of a distinct performance that’s itself fairly scary, in accordance with the researchers.
The performance permits Palo Alto Panorama gadgets to specify a person and person function that they want to impersonate, after which receive a totally authenticated PHP session ID for it with out having to provide a password or move two-factor authentication.
All collectively then, as a result of this software program design, the attacker can move a shell payload as a part of the username subject to impersonate a particular person and function, which can then be handed to AuditLog.write() after which to pexecute(), leading to its execution on the underlying OS.
“It’s superb that these two bugs received right into a manufacturing equipment, amazingly allowed through the hacked-together mass of shell script invocations that lurk underneath the hood of a Palo Alto equipment,” they wrote in their analysis.
Mitigation
Along with updating impacted firewalls to the newly launched variations, directors ought to limit entry to the administration interface to solely trusted inner IP addresses. The administration interface may also be remoted on a devoted administration VLAN or could be configured to be accessed by so-called leap servers that require separate authentication first.
Leaving PAN-OS administration interfaces uncovered to the web is very dangerous as this isn’t the primary, nor seemingly the final, RCE vulnerability to be present in such gadgets. Earlier this 12 months, Palo Alto Networks patched a zero-day RCE flaw (CVE-2024-3400) in PAN-OS that was exploited by a nation-state menace actor.
Palo Alto Networks’ menace looking group is monitoring the exploitation exercise of CVE-2024-0012 and CVE-2024-9474 underneath the identify Operation Lunar Peak and has printed indicators of compromise associated to it.
“This exercise has primarily originated from IP addresses recognized to proxy/tunnel visitors for nameless VPN providers,” the group stated. “Noticed post-exploitation exercise contains interactive command execution and dropping malware, akin to webshells, on the firewall.”
