TrendingExploitCVE-2024-0012
Missing Authentication for Critical Function (CWE-306)
Summary
An authentication bypass vulnerability exists in Palo Alto Networks PAN-OS software versions 10.2, 11.0, 11.1, and 11.2. This vulnerability allows an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges. The attacker can then perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities. Cloud NGFW and Prisma Access are not affected by this vulnerability.
Impact
The impact of this vulnerability is severe, with a CVSS v4.0 base score of 9.3 (Critical). An attacker exploiting this vulnerability could: 1. Gain full administrative control over the PAN-OS system. 2. Modify system configurations, potentially compromising network security policies. 3. Perform unauthorized administrative actions. 4. Use this access as a stepping stone to exploit other vulnerabilities, such as CVE-2024-9474. 5. Potentially disrupt network operations or create backdoors for persistent access. The attack vector is network-based, requires low complexity, and needs no user interaction, making it relatively easy to exploit. This vulnerability has been reported as being actively exploited in the wild.
Exploitation
Multiple proof-of-concept exploits are available on github.com, github.com. The vulnerability is actively being exploited in the wild and was added to the CISA Known Exploited Vulnerability list. Its exploitation has been reported by various sources, including infosec.exchange.
Patch
Patches are available. Palo Alto Networks has released updates to address this vulnerability for the affected versions: PAN-OS 10.2, PAN-OS 11.0, PAN-OS 11.1, and PAN-OS 11.2. Users should update to the latest patched versions of these software releases as soon as possible.
Mitigation
1. Update PAN-OS software to the latest patched version immediately. 2. As a critical mitigation step, restrict access to the management web interface to only trusted internal IP addresses. This significantly reduces the risk of exploitation. 3. Implement Palo Alto Networks' recommended best practice deployment guidelines for securing management access. 4. Monitor system logs for any suspicious activities or unauthorized access attempts. 5. Conduct a thorough security audit to ensure no unauthorized changes have been made to the system configuration. 6. If immediate patching is not possible, consider temporarily disabling external access to the management interface until the update can be applied.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:C/RE:H/U:Red
Timeline
Attacks in the wild have been reported by inthewild.io.
Feedly found the first article mentioning CVE-2024-0012. See article
Feedly estimated the CVSS score as HIGH
Attacks in the wild have been reported by #threatintel. See article
CVE-2024-0012 is a critical authentication bypass vulnerability in the management web interface of PAN-OS versions 10.2, 11.0, 11.1, and 11.2, with active exploitation attempts identified from the IP address 91.208.197[.]167. Fixes are available, and Palo Alto Networks recommends that customers update to the latest patches to mitigate this vulnerability, as Cloud NGFW and Prisma Access are not affected. For detailed information on affected products and remediation guidance, refer to the Palo Alto Networks Security Advisory. See article
NVD published the first details for CVE-2024-0012
A CVSS base score of 9.3 has been assigned.
Attacks in the wild have been reported by CISA Known Exploited Vulnerability.
This CVE started to trend in security discussions