Palo Alto Networks (PAN-OS) Products November 2024 Security Update Advisory
Overview
Palo Alto Networks(https://www.paloaltonetworks.com/) has released a security update that fixes vulnerabilities in products it has been made. Users of affected products are advised to update to the latest version.
Affected Products
CVE-2024-0012
PAN-OS 11.2.4-h1 previous version
PAN-OS 11.1.5-h1 previous version
PAN-OS 11.0.6-h1 previous version
PAN-OS 10.2.12-h2 previous version
CVE-2024-9474
PAN-OS 11.2.4-h1 previous version
PAN-OS 11.1.5-h1 previous version
PAN-OS 11.0.6-h1 previous version
PAN-OS 10.2.12-h2 previous version
PAN-OS 10.1.14-h6 previous version
Resolved Vulnerabilities
An authentication bypass feature in PAN-OS’s software allows an unauthenticated attacker with network access to the administration web interface to gain PAN-OS administrator privileges to perform administrative tasks, make configuration changes, and exploit other authenticated privilege escalation vulnerabilities, such as CVE-2024-9474. (CVE-2024-0012, CVSS 9.3) [1]
A privilege escalation vulnerability in software in PAN-OS could allow a PAN-OS administrator with access to the administration web interface to perform actions on the firewall with root privileges. (CVE-2024-9474, CVSS 6.9) [2]
Vulnerability Patches
The following product-specific vulnerability patches were made available in the November 18, 2024 update.
CVE-2024-0012
PAN-OS 11.2.4-h1 or later version
PAN-OS 11.1.5-h1 or later version
PAN-OS 11.0.6-h1 or later version
PAN-OS 10.2.12-h2 or later version
CVE-2024-9474
PAN-OS 11.2.4-h1 or later version
PAN-OS 11.1.5-h1 or later version
PAN-OS 11.0.6-h1 or later version
PAN-OS 10.2.12-h2 or later version
PAN-OS 10.1.14-h6 or later version
Referenced Sites
[1] PAN-OS: Authentication Bypass in the Management Web Interface (PAN-SA-2024-0015)
https://security.paloaltonetworks.com/CVE-2024-0012
[2] PAN-OS: Privilege Escalation (PE) Vulnerability in the Web Management Interface