{ "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", "CVE_data_meta": { "ID": "CVE-2024-0012", "ASSIGNER": "psirt@paloaltonetworks.com", "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", "value": "An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474 https://security.paloaltonetworks.com/CVE-2024-9474 .\n\nThe risk of this issue is greatly reduced if you secure access to the management web interface by restricting access to only trusted internal IP addresses according to our recommended\u00a0 best practice deployment guidelines https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 .\n\nThis issue is applicable only to PAN-OS 10.2, PAN-OS 11.0, PAN-OS 11.1, and PAN-OS 11.2 software.\n\nCloud NGFW and Prisma Access are not impacted by this vulnerability." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-306 Missing Authentication for Critical Function", "cweId": "CWE-306" } ] } ] }, "affects": { "vendor": { "vendor_data": [ { "vendor_name": "Palo Alto Networks", "product": { "product_data": [ { "product_name": "Cloud NGFW", "version": { "version_data": [ { "version_value": "not down converted", "x_cve_json_5_version_data": { "versions": [ { "status": "unaffected", "version": "All" } ], "defaultStatus": "unaffected" } } ] } }, { "product_name": "PAN-OS", "version": { "version_data": [ { "version_value": "not down converted", "x_cve_json_5_version_data": { "versions": [ { "changes": [ { "at": "11.2.4-h1", "status": "unaffected" } ], "lessThan": "11.2.4-h1", "status": "affected", "version": "11.2.0", "versionType": "custom" }, { "changes": [ { "at": "11.1.5-h1", "status": "unaffected" } ], "lessThan": "11.1.5-h1", "status": "affected", "version": "11.1.0", "versionType": "custom" }, { "changes": [ { "at": "11.0.6-h1", "status": "unaffected" } ], "lessThan": "11.0.6-h1", "status": "affected", "version": "11.0.0", "versionType": "custom" }, { "changes": [ { "at": "10.2.12-h2", "status": "unaffected" } ], "lessThan": "10.2.12-h2", "status": "affected", "version": "10.2.0", "versionType": "custom" }, { "status": "unaffected", "version": "10.1.0" } ], "defaultStatus": "unaffected" } } ] } }, { "product_name": "Prisma Access", "version": { "version_data": [ { "version_value": "not down converted", "x_cve_json_5_version_data": { "versions": [ { "status": "unaffected", "version": "All" } ], "defaultStatus": "unaffected" } } ] } } ] } } ] } }, "references": { "reference_data": [ { "url": "https://security.paloaltonetworks.com/CVE-2024-0012", "refsource": "MISC", "name": "https://security.paloaltonetworks.com/CVE-2024-0012" } ] }, "source": { "advisory": "PAN-SA-2024-0015", "discovery": "EXTERNAL" }, "configuration": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "

The risk is greatest if you configure the management interface to enable access from the internet or any untrusted network either:

  1. Directly
    or
  2. Through a dataplane interface that includes a management interface profile.

The risk is greatly reduced if you make sure that only trusted internal IP addresses are allowed to access the management interface.

Use the following steps to identify your recently detected devices in our Internet scans:

  1. To find your known assets that require remediation action, visit the Assets section of Customer Support Portal at\u00a0https://support.paloaltonetworks.com\u00a0(Products \u2192 Assets \u2192 All Assets \u2192 Remediation Required).
  2. The list of your known devices with an internet-facing management interface discovered in our scans are tagged with PAN-SA-2024-0015 with a last seen timestamp in UTC. If no such devices are listed, it indicates our scan did not find any devices with internet-facing management interface for your account in the last three days.
" } ], "value": "The risk is greatest if you configure the management interface to enable access from the internet or any untrusted network either:\n\n * Directly\nor\n * Through a dataplane interface that includes a management interface profile.\nThe risk is greatly reduced if you make sure that only trusted internal IP addresses are allowed to access the management interface.\n\nUse the following steps to identify your recently detected devices in our Internet scans:\n\n * To find your known assets that require remediation action, visit the Assets section of Customer Support Portal at\u00a0 https://support.paloaltonetworks.com https://support.paloaltonetworks.com/ \u00a0(Products \u2192 Assets \u2192 All Assets \u2192 Remediation Required).\n * The list of your known devices with an internet-facing management interface discovered in our scans are tagged with PAN-SA-2024-0015 with a last seen timestamp in UTC. If no such devices are listed, it indicates our scan did not find any devices with internet-facing management interface for your account in the last three days." } ], "work_around": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "

Recommended mitigation\u2014The vast majority of firewalls already follow Palo Alto Networks and industry best practices. However, if you haven\u2019t already, we strongly recommend that you secure access to your management interface according to our best practice deployment guidelines. Specifically, you should restrict access to the management interface to only trusted internal IP addresses to prevent external access from the internet.

Additionally, if you have a Threat Prevention subscription, you can block these attacks using Threat IDs 95746, 95747, 95752, 95753, 95759, and 95763 (available in Applications and Threats content version 8915-9075 and later). For these Threat IDs to protect against attacks for this vulnerability,

Review information about how to secure management access to your Palo Alto Networks firewalls:
" } ], "value": "Recommended mitigation\u2014The vast majority of firewalls already follow Palo Alto Networks and industry best practices. However, if you haven\u2019t already, we strongly recommend that you secure access to your management interface according to our best practice deployment guidelines. Specifically, you should restrict access to the management interface to only trusted internal IP addresses to prevent external access from the internet.\n\nAdditionally, if you have a Threat Prevention subscription, you can block these attacks using Threat IDs 95746, 95747, 95752, 95753, 95759, and 95763 (available in Applications and Threats content version 8915-9075 and later). For these Threat IDs to protect against attacks for this vulnerability,\n\n * Ensure that all the listed Threat IDs are set to block mode,\n * Route incoming traffic for the MGT port through a DP port https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices#id59206398-3dab-4b2f-9b4b-7ea500d036ba , e.g., enabling management profile on a DP interface for management access,\n * Replace the Certificate for Inbound Traffic Management https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices#id112f7714-8995-4496-bbf9-781e63dec71c ,\n * Decrypt inbound traffic to the management interface so the firewall can inspect it https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices#idbbd82587-17a2-42b4-9245-d3714e1e13a2 , and\n * Enable threat prevention on the inbound traffic to management services.\n\n\nReview information about how to secure management access to your Palo Alto Networks firewalls:\n * Palo Alto Networks LIVEcommunity article:\u00a0 https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 \n * Palo Alto Networks official and more detailed technical documentation:\u00a0 https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices" } ], "exploit": [ { "lang": "en", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "Palo Alto Networks observed threat activity that exploits this vulnerability against a limited number of management web interfaces that are exposed to internet traffic coming from outside the network.
" } ], "value": "Palo Alto Networks observed threat activity that exploits this vulnerability against a limited number of management web interfaces that are exposed to internet traffic coming from outside the network." } ], "solution": [ { "lang": "eng", "supportingMedia": [ { "base64": false, "type": "text/html", "value": "

We strongly recommend that you secure access to your management interface following the instructions in the workarounds section below.

This issue is fixed in PAN-OS 10.2.12-h2, PAN-OS 11.0.6-h1, PAN-OS 11.1.5-h1, PAN-OS 11.2.4-h1, and all later PAN-OS versions.

In addition, in an attempt to provide the most seamless upgrade path for our customers, we are making fixes available for other TAC-preferred and commonly deployed maintenance releases.

" } ], "value": "We strongly recommend that you secure access to your management interface following the instructions in the workarounds section below.\n\nThis issue is fixed in PAN-OS 10.2.12-h2, PAN-OS 11.0.6-h1, PAN-OS 11.1.5-h1, PAN-OS 11.2.4-h1, and all later PAN-OS versions.\n\nIn addition, in an attempt to provide the most seamless upgrade path for our customers, we are making fixes available for other TAC-preferred and commonly deployed maintenance releases.\n\n * Additional PAN-OS 11.2 fixes: * \u200b\u200b11.2.0-h1\n * 11.2.1-h1\n * 11.2.2-h2\n * 11.2.3-h3\n * 11.2.4-h1\n\n\n\n * Additional PAN-OS 11.1 fixes: * 11.1.0-h4\n * 11.1.1-h2\n * 11.1.2-h15\n * 11.1.3-h11\n * 11.1.4-h7\n * 11.1.5-h1\n\n\n\n * Additional PAN-OS 11.0 fixes: * 11.0.0-h4\n * 11.0.1-h5\n * 11.0.2-h5\n * 11.0.3-h13\n * 11.0.4-h6\n * 11.0.5-h2\n * 11.0.6-h1\n\n\n\n * Additional PAN-OS 10.2 fixes: * 10.2.0-h4\n * 10.2.1-h3\n * 10.2.2-h6\n * 10.2.3-h14\n * 10.2.4-h32\n * 10.2.5-h9\n * 10.2.6-h6\n * 10.2.7-h18\n * 10.2.8-h15\n * 10.2.9-h16\n * 10.2.10-h9\n * 10.2.11-h6\n * 10.2.12-h2" } ], "credits": [ { "lang": "en", "value": "Palo Alto Networks thanks our Deep Product Security Research Team for discovering this issue internally from threat activity." } ] }