Securing Palo Alto management interfaces from exploitation

Number: AL24-011
Date: November 15, 2024

Audience

This Alert is intended for IT professionals and managers.

Purpose

An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security (“Cyber Centre”) is also available to provide additional assistance regarding the content of this Alert to recipients as requested.

Details

On November 8, 2024, Palo Alto Networks (PAN) published an advisory (PAN-SA-2024-0015) regarding a claim of exploitation that the vendor was investigating. On November 14, 2024, PAN updated the advisory to confirm that malicious activity has been observed targeting a limited number of PAN firewall management interfaces that are exposed to the Internet^{Footnote 1}.

The vendor confirms in the updated advisory that malicious actors have been observed exploiting an as-yet undisclosed unauthenticated remote command execution (RCE) vulnerability. It bears repeating that this is active exploitation by malicious actors.

The Cyber Centre notes that the vendor has also updated advisory PAN-SA-2024-0010 (“Multiple Vulnerabilities in Expedition Lead to Exposure of Firewall Credentials”)^{Footnote 2}^{Footnote 3}. The PAN advisory explicitly states that multiple vulnerabilities in Palo Alto Networks Expedition led to exposure of firewall credentials.

Suggested actions

It is imperative that organizations review the inventory of PAN devices and applications in their networks and verify whether these products require patching and/or further recommended mitigations.

Organizations can verify whether they have any firewall management interfaces exposed to the Internet by consulting the Palo Alto Customer Support Portal (Products > Assets > All Assets > Remediation Required)^{Footnote 4}.

Devices and applications should then be configured according to the vendor’s recommended best practices^{Footnote 5}.

Organizations should also review and implement the Cyber Centre’s Top 10 IT Security Actions^{Footnote 6} with an emphasis on the following topics:

consolidating, monitoring, and defending Internet gateways
patching operating systems and applications
isolating Web-facing applications

If activity matching the content of this alert is discovered, recipients are encouraged to report via the My Cyber Portal, or email contact@cyber.gc.ca.

Partner reporting

Palo Alto Networks Emphasizes Hardening Guidance

References

Information provided by organizations not subject to the Official Languages Act is in the language(s) provided.

Footnote 1

PAN-SA-2024-0015 Critical Security Bulletin: Ensure Access to Management Interface is Secured

Return to footnote1 referrer

Footnote 2

PAN-SA-2024-0010 Expedition: Multiple Vulnerabilities in Expedition Lead to Exposure of Firewall Credentials

Return to footnote2 referrer

Footnote 3

Palo Alto Networks security advisory (AV24-578)

Return to footnote3 referrer

Footnote 4

Palo Alto Customer Support Portal

Return to footnote4 referrer

Footnote 5

Tips & Tricks: How to Secure the Management Access of Your Palo Alto Networks Device

Return to footnote5 referrer

Footnote 6

Top 10 IT security actions to protect Internet connected networks and information (ITSM.10.089)

Return to footnote6 referrer

This alert was originated From: Canadian Centre for Cyber Security

https://cyber.gc.ca/en/alerts-advisories/securing-palo-alto-management-interfaces-exploitation

Audience

Purpose

Details

Suggested actions

Partner reporting

Leave a Reply Cancel reply

Related Posts

VMware security advisory (AV24-528) – Canadian Centre for Cyber Security

CISA Advisory: CISA and FBI Release Secure by Design Alert on Eliminating Cross-Site Scripting Vulnerabilities

CISA Advisory: Delta Electronics CNCSoft-G2 | CISA

CISA Advisory: Siemens SINEMA Remote Connect Server