CVE-2024-2552
📋 TL;DR
This CVE describes a command injection vulnerability in Palo Alto Networks PAN-OS software that allows authenticated administrators to bypass system restrictions and delete files on the firewall. The vulnerability affects administrators with management plane access to PAN-OS firewalls. Attackers could exploit this to delete critical system files and potentially disrupt firewall operations.
💻 Affected Systems
- Palo Alto Networks PAN-OS
📦 What is this software?
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
⚠️ Risk & Real-World Impact
Worst Case
An attacker with administrator credentials could delete critical system files, causing firewall failure, service disruption, and potential loss of network security controls.
Likely Case
Malicious insider or compromised administrator account could delete configuration files, logs, or system files, leading to service disruption and operational impact.
If Mitigated
With proper access controls and monitoring, impact is limited to authorized administrators performing legitimate file deletion operations.
🎯 Exploit Status
Exploitation requires administrator credentials. No public exploit code available at time of analysis.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Check vendor advisory for specific fixed versions
Vendor Advisory: https://security.paloaltonetworks.com/CVE-2024-2552
Restart Required: Yes
Instructions:
1. Check affected versions in vendor advisory. 2. Download appropriate PAN-OS update. 3. Apply update through management interface. 4. Reboot firewall as required. 5. Verify update applied successfully.
🔧 Temporary Workarounds
Restrict Administrator Access
allLimit administrator accounts to only trusted personnel and implement multi-factor authentication.
Network Segmentation
allEnsure firewall management interfaces are not accessible from untrusted networks.
🧯 If You Can't Patch
- Implement strict access controls and monitoring for administrator accounts
- Regularly audit administrator activities and file system changes on firewalls
🔍 How to Verify
Check if Vulnerable:
Check PAN-OS version against affected versions in vendor advisory. Review administrator access logs for suspicious file deletion activities.Check Version:
show system info (in PAN-OS CLI) or check version in web interfaceVerify Fix Applied:
Verify PAN-OS version is updated to patched version specified in vendor advisory. Test administrator file deletion capabilities are properly restricted.📡 Detection & Monitoring
Log Indicators:
- Unexpected file deletion events in system logs
- Administrator account performing unusual file operations
- Failed file deletion attempts that bypass normal restrictions
Network Indicators:
- Unusual management plane traffic patterns
- Multiple file deletion requests from single administrator session
SIEM Query:
source="pan-firewall" AND (event_type="file_deletion" OR command="rm" OR command="delete") AND user_role="administrator"