NopSec.com uses cookies to make interactions with the Company’s Websites easy and meaningful. When you visit one of the Company’s Websites, NopSec.com’s servers send a cookie to your computer. Standing alone, cookies do not personally identify you; they merely recognize your Web browser. Unless you choose to identify yourself to NopSec.com, either by responding to a promotional offer, opening an account, or filling out a Web form (such as a “Contact Us” or a “Free Trial” Web form), you remain anonymous to the Company. Please go to our privacy statement for details.

Acknowledge
NopSec_Resource_JustInTime_Generic_1

Just in Time Bulletin: CVE-2024-0012 and CVE-2024-9474 Palo Alto Unauthenticated Remote Command Execution

Dec 10, 2024

What are CVE-2024-0012 and CVE-2024-9474? 

Researchers have identified two (2) vulnerabilities that impact Palo Alto’s SSLVPN, that when chained can result in remote command execution. An authentication bypass vulnerability, tracked as CVE-2024-0012, was present due to a lack of validation checking on HTTP request headers. Specifically, if the “X-PAN-AUTHCHECK” was included as an HTTP request header and set to “off”, authentication could be bypassed. Wild. Having successfully identified a means to bypass authentication, the research team discovered a PHP script used for event logging that injected an unsanitized username derived from a server-side session variable directly into a psexecute() function call. Unsure how to inject an attacker defined session value into a session variable, the team continued digging through the PHP scripts and eventually identified a script that seemingly enabled any authenticated user to impersonate any other user, real or attacker defined. More importantly, the script accepted any arbitrary username, which could conveniently contain shell metacharacters and define that user’s role as a “superuser”. Normal SSL VPN behavior by all accounts. This resulted in privilege escalation, tracked as CVE-2024-9474. By combining these elements the team found it was possible to bypass authentication, elevate privileges, and execute arbitrary commands. The vulnerabilities were laughably simple to exploit, but the research to get to there was quite excellent. 

This is a critical vulnerability. Successful exploitation facilitates remote command execution, which can result in malware deployment, host compromise, or lateral movement within a private network.

How bad is this? 

 

CVE CVSSv3 Score
CVE-2024-9474 6.9
CVE-2024-0012 9.3

 

Severity: Critical

 

  • Credentials are NOT required
  • Thousands of potential targets
  • Low level of complexity
  • Exploit code in public domain

Who is affected by this? 

 

Product Affected version
PAN-OS 11.2

PAN-OS 11.1

PAN-OS 11.0

PAN-OS 10.2

< 11.2.4-h1

< 11.1.5-h1

< 11.0.6-h1

< 10.2.12-h2

 

How is it exploited? 

This vulnerability is exploitable remotely by an unauthenticated attacker, the most abundant class of attacker.

How do I protect myself? 

Palo Alto Networks recommends that customers update to receive the latest patches that fix CVE-2024-0012 and CVE-2024-9474. Please refer to the Palo Alto Networks Security Advisories (CVE-2024-0012, CVE-2024-9474) for up-to-date information about affected products and versions.

Mitigating factors? 

If updating is not possible, it is recommended that firewall rules be implemented to restrict access to the Palo Alto management interface to trusted internal IP addresses only. This will greatly decrease the possibility of external compromise. 

Additional Resources: