CISA warns about attacks on 0 day vulnerability in Palo Alto Networks firewalls

[German]An unpatched vulnerability (0-day) exist in the firewalls of Palo Alto Networks. The management interface can be accessed via this vulnerability. This 0-day vulneability is already being exploited for attacks. Both the BSI and the US authority CISA have issued a warning: customers should secure their firewalls immediately.

Warning about a 0-day vulnerability

The warning about an unpatched vulnerability in Palo Alto Networks firewalls can be found in several places on the internet. I noticed the following warning from US CISA, yesterday, November 15, 2024.

In a security advisory a few days ago, the manufacturer had previously announced a potential threat from a vulnerability in its firewall management interface. The US authority CISA warns in this tweet and refers to the vulnerability catalog with exploited vulnerabilities.

Vulnerability CVE-2024-9463

There is a command injection vulnerability CVE-2024-9463 (CVSSv4.0 Base Score: 9.3) in Palo Alto Networks Expedition OS that allows an unauthenticated attacker to execute arbitrary operating system commands as root in Expedition, resulting in the disclosure of usernames, plaintext passwords, device configurations and device API keys of PAN-OS firewalls.

Attacks observed

Palo Alto Networks then updated its security advisory on November 14, 2024. The manufacturer now points out that attacks on vulnerable devices are now taking place. According to the advisory, a limited number of attacks on firewalls whose management interface is accessible on the internet have been confirmed. The urgency of the matter has therefore been raised to the highest level.

The manufacturer is not currently providing any details about the affected versions or devices. However, all models that do not secure the management interface according to best practices and therefore expose it to the outside world are said to be potentially at risk.

Information on what to do to secure the management interface (isolate it from accessibility via the Internet) can be found in the Security Advisory. Palo Alto Networks has also published the document Tips & Tricks: How to Secure the Management Access of Your Palo Alto Networks Device with instructions on how to secure it. Administrators should therefore act immediately.