PAN-SA-2024-0015 Critical Security Bulletin: Ensure Access to Management Interface is Secured
Description
Palo Alto Networks has observed threat activity exploiting an unauthenticated remote command execution vulnerability against a limited number of firewall management interfaces which are exposed to the Internet. We are actively investigating this activity.
We strongly recommend customers ensure access to your management interface is configured correctly in accordance with our recommended best practice deployment guidelines. In particular, we recommend that you immediately ensure that access to the management interface is possible only from trusted internal IPs and not from the Internet. The vast majority of firewalls already follow this Palo Alto Networks and industry best practice.
Please follow links for additional information regarding ensuring the management interface best practices:
How to Secure the Management Access of Your Palo Alto Networks Device: https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431
We currently believe that neither Prisma Access nor Cloud NGFW would be affected.
If the management interface access is restricted to IPs the risk of exploitation is greatly limited, as any potential attack would first require privileged access to those IPs. CVSS for this scenario is 7.5 High (CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/AU:N/R:U/V:C/RE:H/U:Red)
Required Configuration for Exposure
At this time we believe devices whose access to the Management Interface is not secured as per our recommended best practice deployment guidelines are at increased risk.
Steps to identify your devices:
Step 1. To find your assets that require remediation action visit the Assets section of Customer Support Portal at https://support.paloaltonetworks.com (Products → Assets → All Assets → Remediation Required).
Step 2. The list of your devices with an internet-facing management interface discovered in our scans are tagged with PAN-SA-2024-0015. If no such devices are listed, it indicates our scan did not find any devices with internet-facing management interface for your account.
Severity: CRITICAL
CVSSv4.0 Base Score: 9.3 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:A/AU:Y/R:U/V:C/RE:M/U:Red)
Exploitation Status
Palo Alto Networks has observed threat activity exploiting an unauthenticated remote command execution vulnerability against a limited number of firewall management interfaces which are exposed to the Internet.
Solution
At this time securing access to the management interface is the best recommended action.
As we investigate the threat activity, we are preparing to release fixes and threat prevention signatures as early as possible.
We will continue to update this advisory as more information is available.
Please subscribe to the RSS feed, https://security.paloaltonetworks.com/rss.xml, or email notices at https://support.paloaltonetworks.com/SupportAccount/Preferences for notifications.
Frequently Asked Questions
Q.Is there active exploitation?
Palo Alto Networks has observed threat activity exploiting an unauthenticated remote command execution vulnerability on a limited number of firewall management interfaces exposed to the Internet.
Q.Are there any indicators of compromise?
We observed threat activity originating from the following IP addresses and destined to a PAN-OS management web interface IP and port accessible on the Internet:
* 136.144.17[.]*
* 173.239.218[.]251
* 216.73.162[.]*
Note: these IP addresses may represent third party VPNs with legitimate user activity originating from these IPs to other destinations.
We observed a webshell with checksum 3C5F9034C86CB1952AA5BB07B4F77CE7D8BB5CC9FE5C029A32C72ADC7E814668.
Q.Can I use Xpanse and XSIAM to identify PAN-OS management interfaces?
Cortex Xpanse and Cortex XSIAM customers with the ASM module can investigate internet exposed instances by reviewing alerts generated by the Palo Alto Networks Firewall Admin Login attack surface rule.
Q.If the firewall management interface is deployed per best practices, do I need to take any action?
There is no further action needed at this time.
Q.How did you identify that my device had an internet-facing management interface?
Palo Alto Networks detects public-facing customer NGFW Internet management interfaces through routine, nonintrusive Internet scanning. These results are analyzed using proprietary indicators to attribute device attributes (e.g., model) with a high degree of accuracy. Based on detected IP addresses, Palo Alto Networks is able to attribute an Internet-exposed device back to a given customer by cross-referencing the IP to the serial number with our internal records.
Devices discovered this way in the past few days are listed in the Remediation Required list under the Assets section of the Customer Support Portal (Products → Assets → All Assets → Remediation Required). This list may not be complete, so please ensure that you verify that all of your devices are properly configured.