In the present day, cybersecurity firm Palo Alto Networks warned prospects to limit entry to their next-generation firewalls due to a possible distant code execution vulnerability within the PAN-OS administration interface.
In a safety advisory revealed on Friday, the corporate stated it does not but have further info concerning this alleged safety flaw and added that it has but to detect indicators of lively exploitation.
“Palo Alto Networks is conscious of a declare of a distant code execution vulnerability by way of the PAN-OS administration interface. At the moment, we have no idea the specifics of the claimed vulnerability. We’re actively monitoring for indicators of any exploitation,” it stated.
“We strongly suggest prospects to make sure entry to your administration interface is configured appropriately in accordance with our really useful finest observe deployment tips.
“Cortex Xpanse and Cortex XSIAM prospects with the ASM module can examine web uncovered cases by reviewing alerts generated by the Palo Alto Networks Firewall Admin Login assault floor rule.”
The corporate suggested prospects to dam entry from the Web to their firewalls’ PAN-OS administration interface and solely permit connections from trusted inner IP addresses.
Based on a separate help doc on Palo Alto Networks’ neighborhood web site, admins also can take a number of of the next measures to cut back the administration interface’s publicity:
- Isolate the administration interface on a devoted administration VLAN.
- Use bounce servers to entry the mgt IP. Customers authenticate and hook up with the bounce server earlier than logging in to the firewall/Panorama.
- Restrict inbound IP addresses to your mgt interface to permitted administration units. It will cut back the assault floor by stopping entry from sudden IP addresses and prevents entry utilizing stolen credentials.
- Solely allow secured communication reminiscent of SSH, HTTPS.
- Solely permit PING for testing connectivity to the interface.
Important lacking authentication flaw exploited in assaults
On Thursday, CISA additionally warned of ongoing assaults exploiting a essential lacking authentication vulnerability in Palo Alto Networks Expedition tracked as CVE-2024-5910. This safety flaw was patched in July and menace actors can remotely exploit it to reset software admin credentials on Web-exposed Expedition servers.
Whereas CISA did not present extra particulars on these assaults, Horizon3.ai vulnerability researcher Zach Hanley launched a proof-of-concept exploit final month that chains it with a command injection vulnerability (tracked as CVE-2024-9464) to realize “unauthenticated” arbitrary command execution on susceptible Expedition servers.
CVE-2024-9464 will also be chained with different safety flaws—addressed by Palo Alto Networks in October—to take over admin accounts and hijack PAN-OS firewalls.
The U.S. cybersecurity company additionally added the CVE-2024-5910 vulnerability to its Identified Exploited Vulnerabilities Catalog, ordering federal companies to safe their methods in opposition to assaults inside three weeks, by November 28.
“These kinds of vulnerabilities are frequent assault vectors for malicious cyber actors and pose vital dangers to the federal enterprise,” warned CISA.