Threat Advisory: Palo Alto Critical Security Bulletin - CVE-2024-0012

Introduction

Palo Alto Networks has released a security bulletin covering an actively exploited vulnerability for internet-facing firewall web management interfaces.

Summary

Threat activity exploiting an unauthenticated remote command execution vulnerability has been observed by Palo Alto Networks. Currently, Palo Alto believes Prisma Access or Cloud NGFWs are not affected. Update to an unaffected version if possible, otherwise, the recommendation provided is to secure access to your web management interface in accordance with Palo Alto's best practice deployment guidelines. In particular, Palo Alto recommends that you immediately ensure that access to the management interface is possible only from trusted internal IPs.

Impact

Some of the potential impacts when this vulnerability is successfully exploited include:

1. Unauthorized Palo Alto firewall remote command execution

Immediate Actions

1. Check if your device(s) requires remediation action:
   1. Login to https://support.paloaltonetworks.com
   2. Navigate to (Products->Assets->All Assets->Remediation Required)
   3. Devices with internet-facing management interfaces will be tagged with PAN-SA-2024-0015
   4. If devices are tagged, proceed to step 2 and follow guidance to secure access
2. Secure Management Access to your Palo Alto Device: https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-securethe-management-access-of-your-palo/ba-p/464431

3. Update to one of the following unaffected versions of PAN-OS:

   - 11.2.4-h1

   - 11.1.5-h1

   - 11.0.6-h1

   - 10.2.12-h2

For more in-depth workaround and mitigation guidance please visit the linked resource bulletin

Resources

https://security.paloaltonetworks.com/PAN-SA-2024-0015

Immediate attention to this matter is highly recommended.

Contact and Further Support

Please reach out to your CSM if you have immediate questions or concerns.