Palo Alto updates advisory about firewall bug after discovering exploitation attempts
Cybersecurity company Palo Alto Networks is warning customers that hackers are attempting to exploit a recently discovered vulnerability affecting a line of its firewall products.
The company initially published an advisory about the issue on November 8 before updating it on Thursday to confirm that it is now being exploited.
The bug, tagged as PAN-SA-2024-0015 and CVE-2024-0012, was upgraded to highest urgency and given a severity score of 9.3 out of 10. It affects the company’s Next-Generation Firewalls (NGFW) management interfaces and can allow an intruder to take over systems. Thousands of installations of the product are potentially affected, researchers say.
“Palo Alto Networks has observed threat activity exploiting an unauthenticated remote command execution vulnerability against a limited number of firewall management interfaces which are exposed to the Internet,” the company said, adding that it was still investigating the activity.
“We strongly recommend customers ensure access to your management interface is configured correctly in accordance with our recommended best practice deployment guidelines,” the advisory said. “In particular, we recommend that you immediately ensure that access to the management interface is possible only from trusted internal IPs and not from the Internet.”
Palo Alto Networks noted that the “vast majority of firewalls already follow” this advice. On Monday, U.K. cybersecurity nonprofit The Shadowserver Foundation said it found about 11,000 IP addresses exposed to the vulnerability — with hundreds located in several U.S. states. By Friday, the total number dipped to about 8,700.
Other internet researchers pegged the number of exposed systems even higher at around 31,000.
Palo Alto Networks said the severity of the issue is significantly decreased if IP access is restricted because any potential attack “would first require privileged access to those IPs.”
The advisory provided detailed information on how customers can identify potentially exposed, internet-facing management interfaces that require remediation.
The company also noted that it can detect public-facing NGFW interfaces “through routine, nonintrusive Internet scanning” that has a “high degree of accuracy.”
“Based on detected IP addresses, Palo Alto Networks is able to attribute an Internet-exposed device back to a given customer by cross-referencing the IP to the serial number with our internal records,” the advisory said.
The company is notifying customers whether some of their devices were discovered, but it warned that the list “may not be complete, so please ensure that you verify that all of your devices are properly configured.”
The next steps will include releasing fixes for the bug and more threat prevention information, the advisory said.
“We do not have sufficient information about any indicators of compromise to share at this time. If the management interface was exposed to the Internet, we advise the customer to monitor for suspicious threat activity such as unrecognized configuration changes or users,” the company explained.
The Cybersecurity and Infrastructure Security Agency published its own warning about the issue on Friday, noting that Palo Alto Networks recently became aware of “claims of an unverified remote code execution vulnerability.” An organization designed to provide security updates for companies in the water and wastewater sector also warned members about the issue.
Several customers of Palo Alto Networks pointed to a now-deleted dark web post about a zero-day vulnerability being sold that targeted the devices in question.
The advisory comes the same week as CISA warned of several other Palo Alto Networks vulnerabilities currently being exploited by hackers.
Jonathan Greig
is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.