Palo Alto Networks warns of potential RCE in PAN-OS management interface

Palo Alto Networks warns customers to restrict access to their next-generation firewalls because of a potential RCE flaw in the PAN-OS management interface.

Palo Alto Networks warns customers to limit access to their next-gen firewall management interface due to a potential remote code execution vulnerability in PAN-OS. The cybersecurity company has no further details on the vulnerability and said has yet to detect active exploitation.

“Palo Alto Networks is aware of a claim of a remote code execution vulnerability via the PAN-OS management interface. At this time, we do not know the specifics of the claimed vulnerability. We are actively monitoring for signs of any exploitation.” reads the advisory. “We strongly recommend customers to ensure access to your management interface is configured correctly in accordance with our recommended best practice deployment guidelines. In particular, we recommend that you ensure that access to the management interface is possible only from trusted internal IPs and not from the Internet. The vast majority of firewalls already follow this Palo Alto Networks and industry best practice.”

Palo Alto Networks recommends reviewing best practices for securing management access to its devices.

Guidelines to secure the Palo Alto management interface include isolating it on a dedicated management VLAN, using jump servers for access, limiting inbound IP addresses to approved management devices, and allowing only secure communication (SSH, HTTPS) and PING for connectivity testing.

The company currently believes Prisma Access and cloud NGFW are unaffected by this potential vulnerability.

The cybersecurity firm states that it does not have sufficient information about any indicators of compromise.

Cortex Xpanse and Cortex XSIAM customers using the ASM module can investigate internet-exposed instances by reviewing alerts from the Firewall Admin Login attack surface rule.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added a Palo Alto Expedition Missing Authentication Vulnerability, tracked as CVE-2024-5910, to its Known Exploited Vulnerabilities (KEV) catalog.

In July, Palo Alto released security updates to address five security flaws impacting its products, the most severe issue, tracked as CVE-2024-5910 (CVSS score: 9.3), is a missing authentication for a critical function in Palo Alto Networks Expedition that can lead to an admin account takeover.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, RCE)