Threat update

A threat advisory was issued to Palo Alto customers notifying them of a vulnerability in the PAN-OS interface that can lead to remote code execution (RCE).

Technical Detail and Additional Info

What is the threat?

The vulnerability, internally referred to as PAN-SA-2024-0015 (the CVE number has not been announced), affects the PAN-OS management interface. When exploited, it allows the threat actor to perform RCE. An RCE threat to the network infrastructure can enable attackers to easily gain a foothold into the network. Additionally, attackers may gain access to a privileged part of the network, allowing them to bypass network protection controls. There is no known threat actor exploiting this vulnerability in the wild. However, as no patch is available, it is important to perform the below recommended best practices to protect your network infrastructure. 

Why is it noteworthy?

This threat is particularly significant due to the results of exploitation. The affected devices are often internet-facing. If the management interface is accessed over the internet, the vulnerability will allow an attacker to easily establish a presence on the network and potentially move laterally across the network at the same time. 

What is the exposure or risk?

As the vulnerability impacts the management interface of PAN-OS, if the PAN-OS is set up to be accessible via the internet, it is significantly more exposed than ones that are only accessible on an internal network. A management interface that can only be accessed over a dedicated management VLAN or by a highly secured jump box will further reduce the exposure. 

What are the recommendations?

 LBT Technology Group recommends organizations to take the following steps to reduce the risk of exploitation and protect critical infrastructure from this and similar threats.

• Limit access to the management interface: Only allow access to the management interface from a dedicated VLAN or restrict access to the management interface to approved management devices, or a secure jump box.
• Limit access to specific secure protocols: Only allow access via SSH, HTTPS, and use PING to test connection rather than logins. Additionally, disallow TELNET and HTTP.
• Audit access: Ensure those who have access to the management interface are configured accurately.

References

 For more in-depth information about the recommendations, please visit the following links:

• https://lbttechgroup.com/index.php/blog/palo-alto-networks-warns-of-potential-pan-os-rce-vulnerability

• https://thehackernews.com/2024/11/palo-alto-advises-securing-pan-os.html
• https://security.paloaltonetworks.com/PAN-SA-2024-0015
• https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431

If you have any questions, please contact LBT's Sales Engineer.