What are CVE-2024-0012 and CVE-2024-9474?
Researchers have identified two (2) vulnerabilities that impact Palo Alto’s SSLVPN, that when chained can result in remote command execution. An authentication bypass vulnerability, tracked as CVE-2024-0012, was present due to a lack of validation checking on HTTP request headers. Specifically, if the “X-PAN-AUTHCHECK” was included as an HTTP request header and set to “off”, authentication could be bypassed. Wild. Having successfully identified a means to bypass authentication, the research team discovered a PHP script used for event logging that injected an unsanitized username derived from a server-side session variable directly into a psexecute() function call. Unsure how to inject an attacker defined session value into a session variable, the team continued digging through the PHP scripts and eventually identified a script that seemingly enabled any authenticated user to impersonate any other user, real or attacker defined. More importantly, the script accepted any arbitrary username, which could conveniently contain shell metacharacters and define that user’s role as a “superuser”. Normal SSL VPN behavior by all accounts. This resulted in privilege escalation, tracked as CVE-2024-9474. By combining these elements the team found it was possible to bypass authentication, elevate privileges, and execute arbitrary commands. The vulnerabilities were laughably simple to exploit, but the research to get to there was quite excellent.
This is a critical vulnerability. Successful exploitation facilitates remote command execution, which can result in malware deployment, host compromise, or lateral movement within a private network.
How bad is this?
CVE | CVSSv3 Score |
CVE-2024-9474 | 6.9 |
CVE-2024-0012 | 9.3 |
Severity: Critical
- Credentials are NOT required
- Thousands of potential targets
- Low level of complexity
- Exploit code in public domain
Who is affected by this?
Product | Affected version |
PAN-OS 11.2
PAN-OS 11.1 PAN-OS 11.0 PAN-OS 10.2 |
< 11.2.4-h1
< 11.1.5-h1 < 11.0.6-h1 < 10.2.12-h2 |
How is it exploited?
This vulnerability is exploitable remotely by an unauthenticated attacker, the most abundant class of attacker.
How do I protect myself?
Palo Alto Networks recommends that customers update to receive the latest patches that fix CVE-2024-0012 and CVE-2024-9474. Please refer to the Palo Alto Networks Security Advisories (CVE-2024-0012, CVE-2024-9474) for up-to-date information about affected products and versions.
Mitigating factors?
If updating is not possible, it is recommended that firewall rules be implemented to restrict access to the Palo Alto management interface to trusted internal IP addresses only. This will greatly decrease the possibility of external compromise.