Palo Alto Networks has issued fixes for two actively exploited vulnerabilities that impact its firewalls and virtual security appliances. When combined, the flaws allow attackers to execute malicious code with the highest possible privileges on the underlying PAN-OS operating system, taking full control of the devices.
Palo Alto issued an advisory earlier this month warning customers it was investigating reports of a potential remote code execution (RCE) vulnerability in the PAN-OS web-based management interface and advised them to follow the recommended steps to secure access to that interface.
In its investigation, the company found that the RCE attack was the result of not one, but two vulnerabilities, both of which have been exploited in limited attacks already against devices that have their management interface exposed to the internet.
Authentication bypass and privilege escalation
The first vulnerability (CVE-2024-0012) is rated critical with a score of 9.3 out of 10. By exploiting this issue, attackers can bypass authentication and gain administrative privileges on the management interface, enabling them to execute admin actions and change configurations.
While this is bad enough, it does not directly lead to a full system compromise unless this functionality can be leveraged to execute malicious code on the underlying operating system.
It turns out that attackers found such a way via a second vulnerability (CVE-2024-9474), which enables anyone with administrative privileges on the web interface to execute code on the Linux-based OS as root — the highest possible privilege.
Both vulnerabilities affect PAN-OS 10.2, PAN-OS 11.0, PAN-OS 11.1, and PAN-OS 11.2, all of which have now received patches.
The flaws were trivial
Researchers from security firm watchTowr reverse-engineered Palo Alto’s patches to analyze both vulnerabilities and concluded that the flaws were the result of basic mistakes in the development process.
To verify whether authentication is required for a user to access a page, the PAN OS management interface checks whether the request’s X-Pan-Authcheck header is set to on or off. The Nginx proxy server that forwards requests to the Apache server that hosts the web application automatically sets X-Pan-Authcheck to on based on the route of the request. In some instances, X-Pan-Authcheck is set to off because the location — for example, the /unauth/ directory — is supposed to be accessible without authentication, but almost everything other than /unauth/ should have the header set to on, which should result in the user being redirected to a login page.
However, watchTowr researchers found that a redirect script called uiEnvSetup.php expects the HTTP_X_PAN_AUTHCHECK value to be set to off, and if this is provided in the request, the server will just accept it.
“We simply… supply the off value to the X-PAN-AUTHCHECK HTTP request header, and the server helpfully turns off authentication?!,” the researchers wrote in their report. “At this point, why is anyone surprised?”
The second bug is also trivial, being a command injection flaw that allows shell commands to be passed as a username to a function called AuditLog.write(), which then passes the injected command to pexecute(). But the passing of the payload to this logging function is actually the result of a different functionality that is itself quite scary, according to the researchers.
The functionality allows Palo Alto Panorama devices to specify a user and user role that they wish to impersonate, and then obtain a fully authenticated PHP session ID for it without having to supply a password or pass two-factor authentication.
All together then, due to this software design, the attacker can pass a shell payload as part of the username field to impersonate a specific user and role, which will then be passed to AuditLog.write() and then to pexecute(), resulting in its execution on the underlying OS.
“It’s amazing that these two bugs got into a production appliance, amazingly allowed via the hacked-together mass of shell script invocations that lurk under the hood of a Palo Alto appliance,” they wrote in their analysis.
Mitigation
In addition to updating impacted firewalls to the newly released versions, administrators should restrict access to the management interface to only trusted internal IP addresses. The management interface can also be isolated on a dedicated management VLAN or can be configured to be accessed through so-called jump servers that require separate authentication first.
Leaving PAN-OS management interfaces exposed to the internet is highly risky as this is not the first, nor likely the last, RCE vulnerability to be found in such devices. Earlier this year, Palo Alto Networks patched a zero-day RCE flaw (CVE-2024-3400) in PAN-OS that was exploited by a nation-state threat actor.
Palo Alto Networks’ threat hunting team is tracking the exploitation activity of CVE-2024-0012 and CVE-2024-9474 under the name Operation Lunar Peak and has published indicators of compromise related to it.
“This activity has primarily originated from IP addresses known to proxy/tunnel traffic for anonymous VPN services,” the team said. “Observed post-exploitation activity includes interactive command execution and dropping malware, such as webshells, on the firewall.”
