Palo Alto Networks warns of potential PAN-OS RCE vulnerability

Today, cybersecurity company Palo Alto Networks warned customers to restrict access to their next-generation firewalls because of a potential remote code execution vulnerability in the PAN-OS management interface.

In a security advisory published on Friday, the company said it doesn't yet have additional information regarding this alleged security flaw and added that it has yet to detect signs of active exploitation.

"Palo Alto Networks is aware of a claim of a remote code execution vulnerability via the PAN-OS management interface. At this time, we do not know the specifics of the claimed vulnerability. We are actively monitoring for signs of any exploitation," it said.

"We strongly recommend customers to ensure access to your management interface is configured correctly in accordance with our recommended best practice deployment guidelines.

"Cortex Xpanse and Cortex XSIAM customers with the ASM module can investigate internet exposed instances by reviewing alerts generated by the Palo Alto Networks Firewall Admin Login attack surface rule."

The company advised customers to block access from the Internet to their firewalls' PAN-OS management interface and only allow connections from trusted internal IP addresses.

According to a separate support document on Palo Alto Networks' community website, admins can also take one or more of the following measures to reduce the management interface's exposure:

Isolate the management interface on a dedicated management VLAN. Use jump servers to access the mgt IP. Users authenticate and connect to the jump server before logging in to the firewall/Panorama. Limit inbound IP addresses to your mgt interface to approved management devices. This will reduce the attack surface by preventing access from unexpected IP addresses and prevents access using stolen credentials. Only permit secured communication such as SSH, HTTPS. Only allow PING for testing connectivity to the interface.

Critical missing authentication flaw exploited in attacks

On Thursday, CISA also warned of ongoing attacks exploiting a critical missing authentication vulnerability in Palo Alto Networks Expedition tracked as CVE-2024-5910. This security flaw was patched in July and threat actors can remotely exploit it to reset application admin credentials on Internet-exposed Expedition servers.

While CISA didn't provide more details on these attacks, Horizon3.ai vulnerability researcher Zach Hanley released a proof-of-concept exploit last month that chains it with a command injection vulnerability (tracked as CVE-2024-9464) to gain "unauthenticated" arbitrary command execution on vulnerable Expedition servers.

CVE-2024-9464 can also be chained with other security flaws—addressed by Palo Alto Networks in October—to take over admin accounts and hijack PAN-OS firewalls.

The U.S. cybersecurity agency also added the CVE-2024-5910 vulnerability to its Known Exploited Vulnerabilities Catalog, ordering federal agencies to secure their systems against attacks within three weeks, by November 28.

"These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise," warned CISA.