Hackers have already compromised hundreds of Palo Alto Networks firewalls in assaults exploiting two just lately patched zero-day vulnerabilities.
The 2 safety flaws are an authentication bypass (CVE-2024-0012) within the PAN-OS administration net interface that distant attackers can exploit to achieve administrator privileges and a PAN-OS privilege escalation (CVE-2024-9474) that helps them run instructions on the firewall with root privileges.
Whereas CVE-2024-9474 was disclosed this Monday, the corporate first warned clients on November 8 to limit entry to their next-generation firewalls due to a possible RCE flaw (which was tagged final Friday as CVE-2024-0012).
Palo Alto Networks continues to be investigating ongoing assaults chaining the 2 flaws to focus on “a restricted variety of system administration net interfaces” and has already noticed menace actors dropping malware and executing instructions on compromised firewalls, warning {that a} chain exploit is probably going already out there.
“This authentic exercise reported on Nov. 18, 2024 primarily originated from IP addresses identified to proxy/tunnel visitors for nameless VPN companies,” the corporate mentioned on Wednesday.
“Right now, Unit 42 assesses with reasonable to excessive confidence {that a} practical exploit chaining CVE-2024-0012 and CVE-2024-9474 is publicly out there, which is able to allow broader menace exercise.”
Though the corporate says the assaults affect solely a “very small variety of PAN-OS” firewalls, menace monitoring platform Shadowserver reported on Wednesday that it is monitoring over 2,700 weak PAN-OS gadgets.
Shadowserver can be monitoring the variety of compromised Palo Alto Networks firewalls, and it mentioned that roughly 2,000 have been hacked for the reason that begin of this ongoing marketing campaign.
CISA has added each vulnerabilities to its Recognized Exploited Vulnerabilities Catalog and now requires federal companies to patch their firewalls inside three weeks by December 9.
In early November, it additionally warned of attackers exploiting one other vital lacking authentication flaw (CVE-2024-5910) within the Palo Alto Networks Expedition firewall configuration migration software, a flaw patched in July that may be exploited to reset utility admin credentials on Web-exposed Expedition servers.
Earlier this yr, the corporate’s clients additionally needed to patch one other most severity and actively exploited PAN-OS firewall vulnerability (CVE-2024-3400) that impacted over 82,000 gadgets. CISA additionally added CVE-2024-3400 to its KEV catalog, asking federal companies to safe their gadgets inside seven days.
Palo Alto Networks “strongly’ suggested its clients on Wednesday to safe their firewalls’ administration interfaces by proscribing entry to the inner community.
“Threat of those points are tremendously lowered for those who safe entry to the administration net interface by proscribing entry to solely trusted inner IP addresses in line with our advisable greatest follow deployment pointers,” the corporate mentioned.