On November 19, 2024, Palo Alto Networks disclosed two critical vulnerabilities in its PAN-OS software, CVE-2024-0012 an Authentication Bypas, and CVE-2024-9474 a Privilege Escalation. These vulnerabilities enable attackers to gain unauthorized administrative access and escalate privileges to root level. Exploitation of these vulnerabilities, observed in the wild, has been attributed to a targeted campaign dubbed Operation Lunar Peek.

Affected Products

CVE-2024-0012 (Authentication Bypass)

• PAN-OS 10.2: Versions prior to 10.2.12-h2
• PAN-OS 11.0: Versions prior to 11.0.6-h1
• PAN-OS 11.1: Versions prior to 11.1.5-h1
• PAN-OS 11.2: Versions prior to 11.2.4-h1

CVE-2024-9474 (Privilege Escalation)

• PAN-OS 10.1: Versions prior to 10.1.14-h6
• PAN-OS 10.2, 11.0, 11.1, 11.2: Same affected versions as CVE-2024-0012

Technical Details

CVE-2024-0012 – Authentication Bypass

• Severity: Critical (CVSS 9.3)
• Description: Exploitation allows unauthenticated attackers to bypass authentication by supplying a crafted HTTP header (x-pan-authcheck: off) to the PAN-OS management web interface. This grants administrative privileges, enabling configuration tampering and potential exploitation of CVE-2024-9474.

CVE-2024-9474 – Privilege Escalation

• Severity: Medium (CVSS 6.9)
• Description: This flaw enables authenticated administrators to escalate privileges to root, allowing actions such as disabling security features and compromising system integrity.

Exploitation

Operation Lunar Peek

• Exploitation has been observed on devices with exposed management interfaces, particularly in regions with high usage (e.g., United States, India, Mexico). Shadowserver estimates over 11,000 exposed systems globally.

Chained Exploitation

• CVE-2024-0012 facilitates initial access, while CVE-2024-9474 is used for post-exploitation privilege escalation. Attackers deploy PHP webshells (SHA256 hash: 3C5F9034C86CB1952AA5BB07B4F77CE7D8BB5CC9FE5C029A32C72ADC7E814668) for further malicious actions.

Available Patches

• PAN-OS 10.1: Update to 10.1.14-h6 or later
• PAN-OS 10.2: Update to 10.2.12-h2 or later
• PAN-OS 11.0: Update to 11.0.6-h1 or later
• PAN-OS 11.1: Update to 11.1.5-h1 or later
• PAN-OS 11.2: Update to 11.2.4-h1 or later

Palo Alto Networks has also released patches for earlier maintenance releases frequently deployed by customers. Refer to the official advisory from Palo Alto Networks for details, here.

Workarounds and Recommendations

Mitigations

• Restrict Management Interface Access
  • Block internet-facing access. Allow access only from trusted internal IPs or secure jump boxes.
• Enable Threat Prevention
  • Apply Threat IDs (e.g., 95746 and 95747) to block exploits.

Best Practices

• Deploy administrative access best practices. Log administrative actions and monitor for anomalous configuration changes.

Conclusion

CVE-2024-0012 and CVE-2024-9474 highlight the criticality of securing internet-facing interfaces. Organizations should prioritize patching affected systems, adopt mitigations, and remain vigilant for evolving threats. Additionally, Centripetal’s CleanINTERNET® service can further protect networks by detecting and shielding malicious exploit attempts associated with CVE-2024-0012, CVE-2024-9474 through advanced threat intelligence and real-time traffic filtering. If you are a current client of Palo Alto and use PAN-OS please contact support@centripetal.ai. Centripetal is pleased to offer Penetration Testing and Vulnerability Assessment services to help organizations identify vulnerabilities and reduce risk. If interested, please contact our Professional Services team at profservs@centripetal.ai or reach out to your Centripetal Account Representative.

Resources

• Palo Alto Networks Advisory: PAN-OS Vulnerabilities CVE-2024-0012 and CVE-2024-9474. Available at: Palo Alto Networks Security Advisory
• Unit42 Report: Operation Lunar Peek and Exploitation of PAN-OS Vulnerabilities. Available at: Unit42 Blog
• HelpNet Security: Analysis of CVE-2024-0012 Exploits and Mitigations. Available at: HelpNet Security
• The Register: PAN-OS Vulnerabilities Targeting Global Interfaces. Available at: The Register
• Censys Analysis: Global Exposure of PAN-OS Interfaces. Available at: Censys