Palo Alto Networks Patches Critical Zero-Day Firewall Bug

Palo Alto Networks (PAN) put out an advisory Friday warning its customers that a critical, unauthenticated remote code execution (RCE) bug is under exploit by cybercriminals in its Expedition firewall interface — making this the tool's fourth vulnerability under active attack identified in just the past week.

PAN's Expedition firewall management is a utility the vendor uses to transition its new customers from their previous system to PAN-OS. For the latest bug, it issued a critical security bulletin warning about fresh threat activity targeting an unauthenticated remote command injection vulnerability (CVE-2024-0012, CVSS 9.3) in Expedition. The company didn't specify exactly when it became aware of the zero-day, but it issued patches today for the bug, which arises from a missing authentication check.

"Palo Alto Networks has observed threat activity exploiting an unauthenticated remote command execution vulnerability against a limited number of firewall management interfaces which are exposed to the Internet," Palo Alto Network's security bulletin said.

The day prior to the PAN bulletin, on Thursday, Nov. 14, CISA added two separate, critical Expedition flaws disclosed Nov. 8 to its Known Exploited Vulnerabilities Catalog: an OS command injection vulnerability (CVE-2024-9463) with a CVSS score of 9.9; and an SQL injection vulnerability (CVE-2024-9465) with a CVSS score of 9.2. And just a week before, another PAN Expedition vulnerability, a missing authentication bug disclosed July 10, made the KEV list (CVE-2024-5910).

Related:Dark Reading Confidential: Meet the Ransomware Negotiators

How to Secure an Exposed Expedition Firewall Management System

Customers should patch their systems as soon as possible; and the vendor urges Expedition users to ensure their systems are not reachable from the public Internet.

And although most of these impacted firewalls already follow that best practice, PAN recommends that customers, "immediately ensure that access to the management interface is possible only from a trusted internal IPs and not from the Internet."

According to the ShadowServer Foundation's IoT device tracking statistics, on Nov. 14 there were more than 8,700 instances of PAN-OS Management systems connected to the Internet and vulnerable to these exploits. That number is down from around 11,000 observed prior to PAN's Nov. 8 bulletin.

"The security of our customers is our highest priority, and we have been in daily contact with customers who we have identified as at heightened risk," a statement from PAN provided to Dark Reading said. "We recently became aware of malicious activity targeting a small number of firewalls that we believe had a management interface exposed to the Internet. This vulnerability could potentially result in unauthorized access to these specific firewalls. We are actively monitoring the situation and are committed to providing our customers with the support they need to stay secure."

Related:Akira Ransomware Racks Up 30+ Victims in a Single Day

The company added that Prisma Access and Cloud NGFW are not believed to be impacted.

Experts urge cybersecurity teams not to underestimate the risk of leaving these vulnerabilities exposed.

“OS commanding and SQL injection are among the most critical vulnerabilities in software," says Ray Kelly, a cybersecurity expert with Black Duck. "When both vectors exist in a single product, it essentially exposes the application completely. These vulnerabilities have been known for decades and can be easily detected using most modern Web application scanning tools.”

Last summer, PAN announced Expedition is being phased out and will no longer be supported as of January 2025.