Last week, Palo Alto Networks warned customers to limit access to their next-gen firewall management interface due to a potential remote code execution vulnerability (CVSSv4.0 Base Score: 9.3) in PAN-OS. The cybersecurity company had no further details on the vulnerability and was not aware of the active exploitation of the flaw.
“Palo Alto Networks is aware of a claim of a remote code execution vulnerability via the PAN-OS management interface. At this time, we do not know the specifics of the claimed vulnerability. We are actively monitoring for signs of any exploitation.” reads the advisory. “We strongly recommend customers to ensure access to your management interface is configured correctly in accordance with our recommended best practice deployment guidelines. In particular, we recommend that you ensure that access to the management interface is possible only from trusted internal IPs and not from the Internet. The vast majority of firewalls already follow this Palo Alto Networks and industry best practice.”
Palo Alto Networks recommended reviewing best practices for securing management access to its devices.
Guidelines to secure the Palo Alto management interface include isolating it on a dedicated management VLAN, using jump servers for access, limiting inbound IP addresses to approved management devices, and allowing only secure communication (SSH, HTTPS) and PING for connectivity testing.
The cybersecurity firm stated that it does not have sufficient information about any indicators of compromise.
Now the company confirmed that the zero-day in its PAN-OS firewall management interface has been actively exploited in the wild and released indicators of compromise (IoCs).
“Palo Alto Networks has observed threat activity exploiting an unauthenticated remote command execution vulnerability against a limited number of firewall management interfaces which are exposed to the Internet. We are actively investigating this activity.” reads the advisory.
“We strongly recommend customers ensure access to your management interface is configured correctly in accordance with our recommended best practice deployment guidelines. In particular, we recommend that you immediately ensure that access to the management interface is possible only from trusted internal IPs and not from the Internet. The vast majority of firewalls already follow this Palo Alto Networks and industry best practice.”
The cybersecurity firm observed malicious activities originating from the following IP addresses
The advisory pointed out that these IP addresses may be associated with VPN services, for this reason, they are also associated with legitimate user activity.
Palo Alto states that the zero-day has been exploited to deploy web shells on compromised devices, granting persistent remote access. A CVE is pending assignment.
“We observed a webshell with checksum 3C5F9034C86CB1952AA5BB07B4F77CE7D8BB5CC9FE5C029A32C72ADC7E814668.” reads the advisory.
Restricting management interface access to specific IPs significantly reduces exploitation risk, requiring privileged access first. In this scenario, the CVSS score drops to 7.5 (High).
This week, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added the following Palo Alto Expedition vulnerabilities to its Known Exploited Vulnerabilities (KEV) catalog:
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, RCE)