CVE-2024-0012, CVE-2024-9474: Zero-Day Vulnerabilities in Palo Alto PAN-OS Exploited In The Wild

Palo Alto Networks confirmed two zero-day vulnerabilities were exploited as part of attacks in the wild against PAN-OS devices, with one being attributed to Operation Lunar Peek.

Background

On November 18, Palo Alto Networks updated its advisory (PAN-SA-2024-0015) for a critical flaw in its PAN-OS software to include a CVE identifier:

In addition to CVE-2024-0012, Palo Alto Networks assigned a second CVE for a privilege escalation vulnerability (CVE-2024-9474).

Analysis

CVE-2024-0012 is an authentication bypass vulnerability in the management web interface of PAN-OS devices. An unauthenticated, remote attacker could exploit this vulnerability to obtain administrator privileges on the vulnerable PAN-OS device, enabling follow-on activity including modifying device configuration, accessing other administrative functions as well as exploiting other vulnerabilities, such as CVE-2024-9474.

CVE-2024-9474 is a privilege escalation vulnerability in the web management interface of PAN-OS devices. An authenticated, remote attacker could exploit this vulnerability to gain root privileges on the firewall.

While not explicitly referenced in its advisory, based on the description, it is believed that CVE-2024-0012 and CVE-2024-9474 may have been used as part of an exploit chain.

Attributed to Operation Lunar Peek

In a threat brief about the vulnerabilities, Palo Alto Networks’ Unit 42 have attributed the exploitation of CVE-2024-0012 to a campaign they call Operation Lunar Peek. As of November 18, no specific details have yet to be shared about Operation Lunar Peek or attribution to a specific threat actor or country of origin.

While Unit 42 did not explicitly connect CVE-2024-9474 to this operation, they reference this flaw as part of follow-on activity and have stated they’ve “observed threat activity that exploits this vulnerability against a limited number of management web interfaces.”

Initial advisory published on November 8

PAN-SA-2024-0015 was first published on November 8, following reports of a zero-day vulnerability affecting the management interfaces of PAN-OS devices. Reports indicate that someone was selling access to a zero-day in PAN-OS. It wasn’t until November 14 that Palo Alto Networks confirmed “threat activity” associated with this zero-day.

Proof of concept

At the time this blog post was published, there was no proof-of-concept (PoC) available for this vulnerability.

Solution

The following table contains a list of affected and fixed versions of PAN-OS:

Equally as important as applying patches, organizations that utilize PAN-OS devices should secure the management web interface to prevent external access, opting instead to limit access to trusted internal IP addresses. For more information, please refer to Palo Alto’s guide, Tips & Tricks: How to Secure the Management Access of Your Palo Alto Networks Device.

Identifying affected systems

A list of Tenable plugins for this vulnerability can be found on the individual CVE pages for CVE-2024-0012 and CVE-2024-9474 as they’re released. These links will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.

Get more information

• Threat Brief: Operation Lunar Peek, Activity Related to CVE-2024-0012
• PAN-SA-2024-0015: CVE-2024-0012 PAN-OS: Authentication Bypass in the Management Web Interface
• CVE-2024-9474 PAN-OS: Privilege Escalation (PE) Vulnerability in the Web Management Interface

Join Tenable's Security Response Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.