At the moment, cybersecurity firm Palo Alto Networks warned clients to limit entry to their next-generation firewalls due to a possible distant code execution vulnerability within the PAN-OS administration interface.
In a safety advisory printed on Friday, the corporate stated it would not but have further data relating to this alleged safety flaw and added that it has but to detect indicators of energetic exploitation.
“Palo Alto Networks is aware of a claim of a remote code execution vulnerability via the PAN-OS management interface. At this time, we do not know the specifics of the claimed vulnerability. We are actively monitoring for signs of any exploitation,” it stated.
“We strongly suggest clients to make sure entry to your administration interface is configured appropriately in accordance with our really useful finest observe deployment tips.
“Cortex Xpanse and Cortex XSIAM customers with the ASM module can investigate internet exposed instances by reviewing alerts generated by the Palo Alto Networks Firewall Admin Login attack surface rule.”
The corporate suggested clients to dam entry from the Web to their firewalls’ PAN-OS administration interface and solely enable connections from trusted inner IP addresses.
In line with a separate assist doc on Palo Alto Networks’ group web site, admins can even take a number of of the next measures to scale back the administration interface’s publicity:
- Isolate the administration interface on a devoted administration VLAN.
- Use leap servers to entry the mgt IP. Customers authenticate and hook up with the leap server earlier than logging in to the firewall/Panorama.
- Restrict inbound IP addresses to your mgt interface to authorised administration units. It will cut back the assault floor by stopping entry from surprising IP addresses and prevents entry utilizing stolen credentials.
- Solely allow secured communication resembling SSH, HTTPS.
- Solely enable PING for testing connectivity to the interface.
Important lacking authentication flaw exploited in assaults
On Thursday, CISA additionally warned of ongoing assaults exploiting a vital lacking authentication vulnerability in Palo Alto Networks Expedition tracked as CVE-2024-5910. This safety flaw was patched in July and menace actors can remotely exploit it to reset utility admin credentials on Web-exposed Expedition servers.
Whereas CISA did not present extra particulars on these assaults, Horizon3.ai vulnerability researcher Zach Hanley launched a proof-of-concept exploit final month that chains it with a command injection vulnerability (tracked as CVE-2024-9464) to achieve “unauthenticated” arbitrary command execution on susceptible Expedition servers.
CVE-2024-9464 may also be chained with different safety flaws—addressed by Palo Alto Networks in October—to take over admin accounts and hijack PAN-OS firewalls.
The U.S. cybersecurity company additionally added the CVE-2024-5910 vulnerability to its Identified Exploited Vulnerabilities Catalog, ordering federal businesses to safe their programs in opposition to assaults inside three weeks, by November 28.
“These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise,” warned CISA.
