At present, cybersecurity firm Palo Alto Networks warned prospects to limit entry to their next-generation firewalls due to a possible distant code execution vulnerability within the PAN-OS administration interface.
In a safety advisory revealed on Friday, the corporate mentioned it would not but have extra info relating to this alleged safety flaw and added that it has but to detect indicators of energetic exploitation.
“Palo Alto Networks is conscious of a declare of a distant code execution vulnerability by way of the PAN-OS administration interface. Presently, we have no idea the specifics of the claimed vulnerability. We’re actively monitoring for indicators of any exploitation,” it mentioned.
“We strongly suggest prospects to make sure entry to your administration interface is configured appropriately in accordance with our advisable finest follow deployment pointers.
“Cortex Xpanse and Cortex XSIAM prospects with the ASM module can examine web uncovered cases by reviewing alerts generated by the Palo Alto Networks Firewall Admin Login assault floor rule.”
The corporate suggested prospects to dam entry from the Web to their firewalls’ PAN-OS administration interface and solely permit connections from trusted inside IP addresses.
In line with a separate help doc on Palo Alto Networks’ group web site, admins may take a number of of the next measures to cut back the administration interface’s publicity:
- Isolate the administration interface on a devoted administration VLAN.
- Use leap servers to entry the mgt IP. Customers authenticate and connect with the leap server earlier than logging in to the firewall/Panorama.
- Restrict inbound IP addresses to your mgt interface to authorized administration units. It will cut back the assault floor by stopping entry from sudden IP addresses and prevents entry utilizing stolen credentials.
- Solely allow secured communication corresponding to SSH, HTTPS.
- Solely permit PING for testing connectivity to the interface.
Crucial lacking authentication flaw exploited in assaults
On Thursday, CISA additionally warned of ongoing assaults exploiting a important lacking authentication vulnerability in Palo Alto Networks Expedition tracked as CVE-2024-5910. This safety flaw was patched in July and menace actors can remotely exploit it to reset utility admin credentials on Web-exposed Expedition servers.
Whereas CISA did not present extra particulars on these assaults, Horizon3.ai vulnerability researcher Zach Hanley launched a proof-of-concept exploit final month that chains it with a command injection vulnerability (tracked as CVE-2024-9464) to realize “unauthenticated” arbitrary command execution on weak Expedition servers.
CVE-2024-9464 will also be chained with different safety flaws—addressed by Palo Alto Networks in October—to take over admin accounts and hijack PAN-OS firewalls.
The U.S. cybersecurity company additionally added the CVE-2024-5910 vulnerability to its Identified Exploited Vulnerabilities Catalog, ordering federal businesses to safe their programs towards assaults inside three weeks, by November 28.
“These kind of vulnerabilities are frequent assault vectors for malicious cyber actors and pose vital dangers to the federal enterprise,” warned CISA.