CVE-2024-9474
📋 TL;DR
This CVE describes a privilege escalation vulnerability in Palo Alto Networks PAN-OS software where an authenticated administrator with access to the management web interface can execute commands with root privileges. Only PAN-OS administrators are affected, while Cloud NGFW and Prisma Access deployments are not impacted.
💻 Affected Systems
- Palo Alto Networks PAN-OS
📦 What is this software?
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
⚠️ Risk & Real-World Impact
Worst Case
An authenticated malicious administrator could gain full root control over the firewall, allowing them to modify configurations, exfiltrate sensitive data, disable security controls, or pivot to other network segments.
Likely Case
An administrator with legitimate access could unintentionally or intentionally execute privileged commands beyond their intended scope, potentially causing service disruption or configuration changes.
If Mitigated
With proper access controls and monitoring, the impact is limited to authorized administrators who should already have significant system access, though they could still exceed intended privileges.
🎯 Exploit Status
Exploit requires authenticated administrator access. Public proof-of-concept code is available. CISA has added this to their Known Exploited Vulnerabilities catalog.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: PAN-OS 10.2.12, PAN-OS 11.0.8, PAN-OS 11.1.4
Vendor Advisory: https://security.paloaltonetworks.com/CVE-2024-9474
Restart Required: Yes
Instructions:
1. Download the appropriate PAN-OS hotfix from the Palo Alto support portal. 2. Upload the hotfix to the firewall via the web interface or CLI. 3. Install the hotfix. 4. Reboot the firewall to complete the installation.
🔧 Temporary Workarounds
Restrict Administrator Access
allLimit the number of administrators with web interface access and implement strict access controls.
Enable Command Logging
allEnable detailed command logging and monitoring for administrator activities.
🧯 If You Can't Patch
- Implement strict role-based access control (RBAC) to limit administrator privileges
- Enable comprehensive logging and monitoring of all administrator activities
🔍 How to Verify
Check if Vulnerable:
Check PAN-OS version via web interface (Device > Setup > Operations) or CLI (show system info). Compare against affected versions.Check Version:
show system info | match versionVerify Fix Applied:
Verify PAN-OS version is 10.2.12, 11.0.8, 11.1.4 or later. Check that no unauthorized privilege escalation attempts are logged.📡 Detection & Monitoring
Log Indicators:
- Unusual administrator command execution patterns
- Privilege escalation attempts in system logs
- Unexpected configuration changes by administrators
Network Indicators:
- Unusual administrative traffic patterns
- Unexpected outbound connections from firewall management interface
SIEM Query:
source="pan-firewall" AND (event_type="admin" OR event_type="system") AND (command="*" OR action="escalate")🔗 References
- https://security.paloaltonetworks.com/CVE-2024-9474
- https://unit42.paloaltonetworks.com/cve-2024-0012-cve-2024-9474/
- https://github.com/k4nfr3/CVE-2024-9474
- https://labs.watchtowr.com/pots-and-pans-aka-an-sslvpn-palo-alto-pan-os-cve-2024-0012-and-cve-2024-9474/
- https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2024-9474
