Palo Alto Networks has released fixes for two exploits affecting its firewalls and virtual security devices. Taken together, the flaws allow attackers to execute malicious code with very high permissions on the PAN-OS operating system, taking full control of the devices.
Palo Alto issued an advisory earlier this month warning customers that it was investigating reports of a remote code execution (RCE) vulnerability in the PAN-OS web-based management interface and advised them to follow recommended steps to secure access to that interface.
In its investigation, the company discovered that the RCE attack was the result of not one, but two vulnerabilities, which were exploited in an already limited attack against devices with their management interface exposed to the Internet.
To ensure the passage and escalation of rights
The first vulnerability (CVE-2024-0012) is rated critical with a score of 9.3 out of 10. By exploiting this issue, attackers can bypass authentication and gain administrative privileges on the administrative interface, enabling them to perform administrative actions and change settings.
While this is bad enough, it does not directly lead to full system corruption unless this functionality can be used to execute malicious code on the underlying operating system.
It turns out that the attackers found such a way through the second vulnerability (CVE-2024-9474), which allows anyone with administrative privileges on the web interface to execute code on a Linux-based OS as root – the highest possible privilege.
Both vulnerabilities affect PAN-OS 10.2, PAN-OS 11.0, PAN-OS 11.1, and PAN-OS 11.2, all of which have received patches.
The mistakes were small
Researchers at security firm watchTowr traced back Palo Alto’s patches to analyze both vulnerabilities and concluded that the flaws were the result of fundamental flaws in the development process.
To ensure that authentication is required for the user to access the page, the PAN OS management interface checks whether the X-Pan-Authcheck request header is set to on or off. The Nginx proxy server that forwards requests to the Apache server hosting the web application automatically sets X-Pan-Authcheck on based on the request route. In some cases, X-Pan-Authcheck is enabled because a location – for example, the /unauth/ directory – must be accessible without authentication, but almost everything except /unauth/ must have a header set, which should result in the user being redirected to the login page.
However, watchTowr researchers discovered that a redirect script called uiEnvSetup.php expects the value of HTTP_X_PAN_AUTHCHECK to be disabled, and if this is provided in the request, the server will automatically accept it.
“We simply… provide the closed value in the X-PAN-AUTHCHECK HTTP request header, and the server disables authentication?!,” the researchers wrote in their report. “For now, why is anyone surprised?”
The second bug, and it’s worth mentioning, is a command injection bug that allows shell commands to be passed as a username to a function called AuditLog.write(), which then passes the injected command to pexecute(). But the overburdening of the logging industry is actually the result of a different industry that is itself more alarming, according to the researchers.
The function allows Palo Alto Panorama devices to specify a user’s role and the user they wish to assume, and then obtain a fully authenticated PHP session ID without having to provide a password or pass two-factor authentication.
Overall, because of this software structure, the attacker can pass the shell payload as part of the username field to impersonate a specific user and role, which will be passed to AuditLog.write() and then pexecute(), resulting in its execution on the underlying OS.
“It’s surprising that these two bugs made their way into a production machine, which surprisingly allowed for a bunch of shell script applications lurking on the Palo Alto hardware,” they wrote in their analysis.
Reduction
In addition to updating affected shortcuts to newly released versions, administrators should restrict access to the management interface to only trusted IP addresses. The management interface can also be isolated to a dedicated management VLAN or it can be configured to be accessed by so-called jump servers that require separate authentication first.
Leaving PAN-OS management interfaces exposed to the Internet is very dangerous as this is not the first, and certainly not the last, RCE vulnerability found in such devices. Earlier this year, Palo Alto Networks published a zero-day RCE flaw (CVE-2024-3400) in PAN-OS that was exploited by a national threat actor.
The Palo Alto Networks threat hunting team is tracking the CVE-2024-0012 and CVE-2024-9474 exploits under the name Operation Lunar Peak and has published related compromise indicators.
“This activity primarily originates from IP addresses known to proxy/tunnel traffic for anonymous VPN services,” the team said. “Identified post-exploit activity includes executing command prompts and dropping malware, such as webshells, on the firewall.”
Source link