Deciphering DORA – Cracking open the Digital Operational Resilience Act
Victor Marchetto prepares for DORA, the EU's new act boosting financial sector resilience by 2025.
On November 18, 2024, Palo Alto Networks released full details of two significant vulnerabilities in their PAN-OS software that had been partly revealed earlier on November 8th. The first, CVE-2024-0012, is a critical vulnerability rated 9.3, affecting the PAN-OS management web interface by allowing attackers to bypass authentication mechanisms. This means unauthorized users with network access can falsely gain administrator privileges by bypassing necessary authentication procedures. The second, CVE-2024-9474, is a medium-severity vulnerability rated 6.9, which involves privilege escalation. When these two are combined, they could allow attackers to execute remote code without prior authentication, elevating their control to an administrator level, facilitating actions on the firewall with root access via the management interface.
Note that Cloud NGFW and Prisma Access are not affected by these vulnerabilities.
For versions after these, vulnerabilities no longer pose a risk. If updating immediately is not possible, limiting access to the management interface to trusted internal IPs is a suggested measure. Palo Alto Networks also offers a list of Indicators of Compromise (IOCs) to help manage risk.
Yes, there is active exploitation of these vulnerabilities. Palo Alto Networks has detected activities exploiting them. Although specific groups are yet to be identified, activities such as issuing commands interactively and dropping malware like webshells onto the firewalls have been observed.
This isn’t the only PAN-OS issue we've examined in 2024; similar dangers discussed in response to CVE-2024-3400 are relevant here. Palo Alto Networks' devices are prevalent in enterprises worldwide—50% of Evolve Security's clients use Palo Alto products, and larger firms might own more vulnerable devices. A Fortune 100 company might deploy PAN-OS on up to 150 networks associated with diverse brands or subsidiaries. Even with strong visibility, deploying patches across numerous networks is demanding and assumes you have complete asset visibility. Generally, companies might under-manage or miss some assets, with prior research indicating that organizations may be unaware of 10-30% of their subsidiaries until Evolve Security helps manage their attack surface.
To assist, Evolve Security's discovery and testing engines continuously identify vulnerable PAN-OS iterations. As of November 20, 2024, all clients have received an in-platform notification about this security threat, ensuring readiness for immediate response.
Evolve Security has inspected client vulnerability data, finding no reports of this particular vulnerability yet. Still, companies should verify which versions are vulnerable and act on recommended fixes. It’s crucial to ensure testing covers all assets, not just those typically included in regular assessments.
Https://nvd.nist.gov/vuln/detail/CVE-2024-9474
https://nvd.nist.gov/vuln/detail/CVE-2024-0012
https://unit42.paloaltonetworks.com/cve-2024-0012-cve-2024-9474/
Unlock your organization's full security potential and uncover even more vulnerabilities than before by choosing our advanced penetration testing services.