Analysis & PoC Exploits Released for Palo Alto Zero-Days – CVE-2024-0012 and CVE-2024-9474

Image: Watchtowr

In a recent analysis, security researcher Sonny from watchTowr unveiled the technical intricacies of two zero-day vulnerabilities affecting Palo Alto Networks’ Next-Generation Firewalls (NGFW). Tracked as CVE-2024-0012 and CVE-2024-9474, these flaws have garnered attention from cybersecurity agencies, including the U.S. Cybersecurity and Infrastructure Security Agency (CISA), which added them to its Known Exploited Vulnerabilities Catalog and mandated federal agencies to patch by December 9.

CVE-2024-0012 is an authentication bypass vulnerability in the PAN-OS management web interface. According to Sonny’s analysis, the flaw allows remote attackers to gain administrative access without authentication. The researcher detailed their approach, beginning with a meticulous examination of the Nginx configuration files.

Looking at the primary Nginx route configuration – /etc/nginx/conf/locations.conf – revealed quite a limited (yet impactful) change,” Sonny explained.

add_header Allow "GET, HEAD, POST, PUT, DELETE, OPTIONS";
if ($request_method !~ ^(GET|HEAD|POST|PUT|DELETE|OPTIONS)$) {
return 405;
}

+proxy_set_header X-Real-IP "";
+proxy_set_header X-Real-Scheme "";
+proxy_set_header X-Real-Port "";
+proxy_set_header X-Real-Server-IP "";
+proxy_set_header X-Forwarded-For "";
+proxy_set_header X-pan-ndpp-mode "";
+proxy_set_header Proxy "";
+proxy_set_header X-pan-AuthCheck 'on';


# rewrite_log on;

# static ones
@@ -27,6 +17,5 @@ location /nginx_status {
location ~ \.js\.map$ {
add_header Cache-Control "no-cache; no-store";
proxy_pass_header Authorization;
+ include conf/proxy_default.conf;
proxy_pass http://$gohost$gohostExt;
}

The researcher observed that the X-PAN-AUTHCHECK header was not set correctly in unpatched versions, potentially allowing unauthorized access to supposedly protected endpoints.

Exploiting this oversight, the researcher found a simple but devastating workaround: by setting the X-PAN-AUTHCHECK HTTP header to off, they could disable authentication entirely.

The second flaw, CVE-2024-9474, permits malicious PAN-OS administrators to escalate their privileges and execute commands with root access. The vulnerability resides in the AuditLog.php file, where improper sanitization of user input enables command injection.

The researcher identified a crucial change in the function responsible for writing audit logs. By leveraging this vulnerability, Sonny demonstrated how a crafted payload could escalate privileges, stating: “Somehow a user is able to pass a username containing shell metacharacters into the AuditLog.write() function, which then passes its value to pexecute().”

Sonny urged administrators to act swiftly, noting the simplicity of the exploit chain: “It’s amazing that these two vulnerabilities got into a production appliance, amazingly allowed via the hacked-together mass of shell script invocations that lurk under the hood of a Palo Alto appliance.”

While watchTowr is temporarily holding back on releasing a full proof-of-concept exploit to allow administrators time to patch, they have provided a Nuclei template that can be used to check if systems are vulnerable.

In another development, security researcher Valentin Lobstein has developed and released PoC exploit code for CVE-2024-0012 and CVE-2024-9474, enabling effortless exploitation. Leveraging the analyses by watchTowr, Lobstein’s Go-based tool automates the attack process, requiring users to simply input the target URL. This readily available exploit raises concerns about increased attacks and emphasizes the urgency of patching vulnerable systems.

PoC exploit code for CVE-2024-0012 and CVE-2024-9474

Palo Alto Networks released patches for these vulnerabilities in PAN-OS version 10.2.12-h2.

Related Posts: