Summary:
Palo Alto Networks is aware of active exploitation attempts in the wild leveraging an authentication bypass vulnerability impacting its PAN-OS firewall management interface. The vulnerability, tracked as CVE-2024-0012, requires no user interaction or privileges to exploit and can enable unauthenticated actors to execute commands remotely. CVE-2024-0012 has been assigned a CVSS score of 9.3, indicating a critical level of severity. However, according to the vendor, the risk of this issue is reduced significantly (CVSS: 5.9) if access to the management web interface is restricted to only trusted internal IP addresses.

Analyst Comments:
Palo Alto Networks has released a set of IP addresses which were observed targeting PAN-OS management web interfaces exposed to internet traffic. According to the vendor, many of these IPs have been known to proxy / tunnel traffic for anonymous VPN services, which may include legitimate user activity originating from these IPs to other destinations

The activity is being tracked under the name ‘Lunar Peek.’ While the whereabouts of the actor behind these attacks or victims have not been disclosed, Palo Alto Networks also provided a webshell checksum, indicating that the actors are exploiting the vulnerability to deploy webshells for persistent access.

Suggested Corrections:
CVE-2024-0012 is applicable only to PAN-OS 10.2, PAN-OS 11.0, PAN-OS 11.1, and PAN-OS 11.2 software. Cloud NGFW and Prisma Access are not impacted by this vulnerability. The issue has been fixed in PAN-OS 10.2.12-h2, PAN-OS 11.0.6-h1, PAN-OS 11.1.5-h1, PAN-OS 11.2.4-h1, and all later PAN-OS versions. Customers have advised to update to the latest versions and secure access to the management interface to only trusted internal IP addresses to prevent external access from the internet.

IOCs:
https://unit42.paloaltonetworks.com/cve-2024-0012-cve-2024-9474/

Link(s):
https://unit42.paloaltonetworks.com/cve-2024-0012-cve-2024-9474/