Palo Alto Firewalls Under Attack As Miscreants Chain Flaws For Root Access (theregister.com) 28
A recently patched Palo Alto Networks vulnerability (CVE-2025-0108) is being actively exploited alongside two older flaws (CVE-2024-9474 and CVE-2025-0111), allowing attackers to gain root access to unpatched firewalls. The Register reports: This story starts with CVE-2024-9474, a 6.9-rated privilege escalation vulnerability in Palo Alto Networks PAN-OS software that allowed an OS administrator with access to the management web interface to perform actions on the firewall with root privileges. The company patched it in November 2024. Dark web intelligence services vendor Searchlight Cyber's Assetnote team investigated the patch for CVE-2024-9474 and found another authentication bypass.
Palo Alto (PAN) last week fixed that problem, CVE-2025-0108, and rated it a highest urgency patch as the 8.8/10 flaw addressed an access control issue in PAN-OS's web management interface that allowed an unauthenticated attacker with network access to the management web interface to bypass authentication "and invoke certain PHP scripts." Those scripts could "negatively impact integrity and confidentiality of PAN-OS."
The third flaw is CVE-2025-0111 a 7.1-rated mess also patched last week to stop authenticated attackers with network access to PAN-OS machines using their web interface to read files accessible to the "nobody" user. On Tuesday, US time, Palo A lot updated its advisory for CVE-2025-0108 with news that it's observed exploit attempts chaining CVE-2024-9474 and CVE-2025-0111 on unpatched and unsecured PAN-OS web management interfaces. The vendor's not explained how the three flaws are chained but we understand doing so allows an attacker to gain more powerful privileges and gain full root access to the firewall. PAN is urging users to upgrade their PAN-OS operating systems to versions 10.1, 10.2, 11.0, 11.1, and 11.2. A general hotfix is expected by Thursday or sooner, notes the Register.
Palo Alto (PAN) last week fixed that problem, CVE-2025-0108, and rated it a highest urgency patch as the 8.8/10 flaw addressed an access control issue in PAN-OS's web management interface that allowed an unauthenticated attacker with network access to the management web interface to bypass authentication "and invoke certain PHP scripts." Those scripts could "negatively impact integrity and confidentiality of PAN-OS."
The third flaw is CVE-2025-0111 a 7.1-rated mess also patched last week to stop authenticated attackers with network access to PAN-OS machines using their web interface to read files accessible to the "nobody" user. On Tuesday, US time, Palo A lot updated its advisory for CVE-2025-0108 with news that it's observed exploit attempts chaining CVE-2024-9474 and CVE-2025-0111 on unpatched and unsecured PAN-OS web management interfaces. The vendor's not explained how the three flaws are chained but we understand doing so allows an attacker to gain more powerful privileges and gain full root access to the firewall. PAN is urging users to upgrade their PAN-OS operating systems to versions 10.1, 10.2, 11.0, 11.1, and 11.2. A general hotfix is expected by Thursday or sooner, notes the Register.
Miscreants is a funny way to spell (Score:5, Interesting)
It absolutely is Trump's fault (Score:1)
So yeah Donald Trump is directly responsible for the price of eggs being high. And they're going to get much more expensive. At least for a little while. When H1N9 finishes mutating and we have no vaccines and no preventative measures it's going to kill about 30% of the population at least. Possibly as much as 50%.
If you wipe
Re: (Score:2)
It's arse covering. Every hack is described as being done by "sophisticated foreign attackers", to imply that it wasn't bad security but a state level threat that nobody could reasonably have defended against.
Not patching for 3+ months is bad? really? (Score:2)
Re: Is there any firewall that hasn't been hacked? (Score:2)
Compared to this, the Microsoft firewall which is a part of Windows seems rock solid. Yeah, weird but true.
Re: (Score:2)
Compared to this, the Microsoft firewall which is a part of Windows seems rock solid. Yeah, weird but true.
In fairness, it's not quite an apples-to-apples comparison. Based on what's written in the summary, it sounds like an attacker needs access to the appliances' WebUI in order to execute the attack. The MS firewall is pretty resilient against such an attack because, well...it doesn't have a WebUI to exploit. It sounds like a Palo Alto configured for serial/SSH-only access would be immune to this particular attack vector.
Fortigate and Sonicwall's recent exploits took place through their VPN services. I guess o
Attack surface (Score:2)
A web server is a complex beast, and including it on a firewall raises attack surface. I would expect such hardware to only have SSH enabled by default.
Re: (Score:3)
Exactly right.
If a firewall ships with PHP enabled, that vendor deserves to go bankrupt. The faster the better.
Re: (Score:3)
Yeah, I make any kind of stuff like that with a web interface only listen to 127.0.0.1 and ssh tunnel into it to access the web GUI. Web GUI is nice to have sometimes.
Amazing! (Score:2)
Re: (Score:2)
what dimwitted idiot incompetent would put the web interface reachable directly by the public internet?
They may not have. Don't forget about the 2017 hack of a casino who's point of entry was a fish tank [forbes.com]. Assuming the fish tank appliance was able to function as an SSH proxy, all one had to do is configure Firefox to send its traffic through the fish tank, and boom! 'internal' access to the firewall's webUI.
Also, I've had situations where firewall rules on DMZ/Guest networks could still technically access the WebUI - they couldn't log in even with admin credentials, but the page loaded.
Some firewalls have a W
Web Interface on the firewall (Score:2)
Re: (Score:2)
If you secure it carefully, maybe. But apparently firewall makers (not only Palo Alto) are too greedy and too incompetent to write secure software. And no liability is in the picture. That needs to change. This is like a fire-extinguisher maker selling products that sometimes burst into flames ...
Insecurity by security components (Score:3)
I mean firewalls as attack vectors, really? These cretins (at Palo Alto and others) urgently need liability for their crappy products.
Re: (Score:2)
I mean firewalls as attack vectors, really? These cretins (at Palo Alto and others) urgently need liability for their crappy products.
The reason is that probably a significant number of outsourced IT shops don't do any checking on access from the firewall to internal servers, so you get on the firewall - bam! - you have unrestricted root/administrator access to the servers behind it.
"Miscreants"? (Score:2)
Scalawags and ne'er-do-wells!