Hackers have already compromised hundreds of Palo Alto Networks firewalls in assaults exploiting two not too long ago patched zero-day vulnerability vulnerabilities.
The 2 safety flaws are an authentication bypass (CVE-2024-0012) within the PAN-OS administration net interface that distant attackers can exploit to realize administrator privileges and a PAN-OS privilege escalation (CVE-2024-9474) that helps them run instructions on the firewall with root privileges.
Whereas CVE-2024-9474 was disclosed this Monday, the corporate first warned prospects on November 8 to limit entry to their next-generation firewalls due to a possible RCE flaw (which was tagged final Friday as CVE-2024-0012).
Palo Alto Networks remains to be investigating ongoing assaults chaining the 2 flaws to focus on “a limited number of device management web interfaces” and has already noticed risk actors dropping malware and executing instructions on compromised firewalls, warning {that a} chain exploit is probably going already out there.
“This original activity reported on Nov. 18, 2024 primarily originated from IP addresses known to proxy/tunnel traffic for anonymous VPN services,” the corporate mentioned on Wednesday.
“At this time, Unit 42 assesses with moderate to high confidence that a functional exploit chaining CVE-2024-0012 and CVE-2024-9474 is publicly available, which will enable broader threat activity.”
Though the corporate says the assaults affect solely a “very small number of PAN-OS” firewalls, risk monitoring platform Shadowserver reported on Wednesday that it is monitoring over 2,700 susceptible PAN-OS gadgets.
Shadowserver can also be monitoring the variety of compromised Palo Alto Networks firewalls, and it mentioned that roughly 2,000 have been hacked because the begin of this ongoing marketing campaign.
CISA has added each vulnerabilities to its Recognized Exploited Vulnerabilities Catalog and now requires federal companies to patch their firewalls inside three weeks by December 9.
In early November, it additionally warned of attackers exploiting one other crucial lacking authentication flaw (CVE-2024-5910) within the Palo Alto Networks Expedition firewall configuration migration instrument, a flaw patched in July that may be exploited to reset software admin credentials on Web-exposed Expedition servers.
Earlier this yr, the corporate’s prospects additionally needed to patch one other most severity and actively exploited PAN-OS firewall vulnerability (CVE-2024-3400) that impacted over 82,000 gadgets. CISA additionally added CVE-2024-3400 to its KEV catalog, asking federal companies to safe their gadgets inside seven days.
Palo Alto Networks “strongly’ suggested its prospects on Wednesday to safe their firewalls’ administration interfaces by proscribing entry to the inner community.
“Risk of these issues are greatly reduced if you secure access to the management web interface by restricting access to only trusted internal IP addresses according to our recommended best practice deployment guidelines,” the corporate mentioned.
