Overview

The Cybersecurity and Infrastructure Security Agency (CISA) has recently added three significant vulnerabilities to its Known Exploited Vulnerabilities Catalog (KEV), based on evidence of active exploitation. These vulnerabilities, identified in popular networking and security products, represent a considerable risk to both private and government networks.

The recently added vulnerabilities to the CISA’s Known Exploited Vulnerabilities Catalog include CVE-2024-1212, a critical OS command injection flaw in the Progress Kemp LoadMaster; CVE-2024-0012, an authentication bypass vulnerability affecting Palo Alto Networks PAN-OS; and CVE-2024-9474, a privilege escalation issue within PAN-OS that enables attackers to escalate privileges via OS command injection.

These vulnerabilities have been categorized with varying levels of urgency and severity, but all share a common characteristic—they pose substantial risks when left unaddressed, particularly for federal enterprises. The vulnerabilities were identified through active threat research and exploitation monitoring, underlining the need for immediate mitigation and patching.

CVE-2024-1212: Progress Kemp LoadMaster OS Command Injection Vulnerability

Progress Kemp LoadMaster, a widely-used application delivery controller and load balancer, has been found to contain a severe OS command injection vulnerability. This issue, designated CVE-2024-1212, allows an attacker with access to the administrator web user interface (WUI) to execute arbitrary commands on the affected system. The vulnerability stems from a flaw in the LoadMaster’s handling of API requests via the administrator interface.

The vulnerability in Progress Kemp LoadMaster (CVE-2024-1212) is triggered when an attacker sends specially crafted input to the system’s “/access” endpoint, which bypasses existing restrictions. This input is improperly handled by a vulnerable Bash script, leading to unchecked user input being passed into a system() call.

As a result, attackers can inject malicious commands that could potentially escalate privileges to root, providing full control over the device. The affected version is 7.2.59.0.22007, while the issue has been addressed in the patched version 7.2.59.2.22338. For further details, users are encouraged to review the Kemp LoadMaster CVE-2024-1212 advisory.

The vulnerability was rapidly patched after its discovery, but administrators are urged to upgrade to the latest version to mitigate potential exploitation risks. If left unpatched, the vulnerability allows attackers to completely compromise the affected system, making it a prime target for cybercriminals.

CVE-2024-0012: PAN-OS Authentication Bypass Vulnerability

CVE-2024-0012 is a critical vulnerability in Palo Alto Networks PAN-OS, the software that powers their next-generation firewalls. This vulnerability allows unauthenticated attackers to bypass authentication mechanisms on the management web interface, granting them administrator-level privileges.

The vulnerability in PAN-OS software (CVE-2024-0012) affects the management interface, allowing attackers to bypass authentication controls and gain unauthorized access to administrative functions. This could lead to a full compromise of the firewall, enabling attackers to modify configurations, exfiltrate sensitive data, or exploit other vulnerabilities, such as CVE-2024-9474, which facilitates privilege escalation.

Reports indicate that this flaw is actively being exploited, with cybercriminals targeting management interfaces exposed to the internet. The vulnerability has been assigned a critical severity score of 9.3, highlighting its potential impact. Affected versions include PAN-OS 10.2, PAN-OS 11.0, PAN-OS 11.1, and PAN-OS 11.2.

Palo Alto Networks published an advisory (PAN-SA-2024-0015) on November 18, 2024, and has released patches for PAN-OS versions 10.2.12-h2, 11.0.6-h1, 11.1.5-h1, 11.2.4-h1, and later versions. To mitigate risks, the company strongly recommends restricting access to the management interface to trusted internal IP addresses.

CVE-2024-9474: PAN-OS Privilege Escalation Vulnerability

Another vulnerability, CVE-2024-9474, found in the same PAN-OS software, allows attackers to escalate privileges once they have compromised a device through the previously mentioned CVE-2024-0012 vulnerability. This privilege escalation (PE) vulnerability is especially dangerous for organizations that have already been compromised, as it allows attackers to gain root-level access to the device, providing them with full control over the firewall system.

The vulnerability (CVE-2024-9474) allows attackers who have already bypassed authentication (via CVE-2024-0012) to escalate their privileges through a flaw in the web management interface of PAN-OS. Once they gain elevated privileges, attackers can perform administrative actions that are normally restricted, such as modifying critical system files or configurations, potentially leading to a complete system compromise.

This vulnerability has been assigned a medium severity rating of 6.9 and is actively being exploited. Affected versions include PAN-OS 10.2, PAN-OS 11.0, PAN-OS 11.1, and PAN-OS 11.2. To address the issue, Palo Alto Networks has released patches for PAN-OS versions 10.2.12-h2, 11.0.6-h1, 11.1.5-h1, 11.2.4-h1, and later versions. In addition to applying these patches, it is recommended to restrict access to management interfaces to trusted internal IP addresses.

Recommendations and Mitigations

To mitigate the risks posed by these vulnerabilities, the following actions are strongly recommended for affected organizations:

1. Ensure all affected systems are patched to the latest versions as listed in the vendor advisories. This will address the vulnerabilities at their core.
2. Limiting access to management interfaces to trusted internal IP addresses is the best defense against exploitation, particularly for vulnerabilities like CVE-2024-0012.
3. Regularly monitor for any unusual activity or configuration changes within your firewalls or load balancers. This includes reviewing logs for signs of exploitation or attempts to exploit the listed vulnerabilities.
4. Organizations using Palo Alto Networks’ firewalls with a Threat Prevention subscription should configure the system to block known attacks associated with these vulnerabilities using Threat IDs 95746, 95747, and others.

Conclusion

The addition of CVE-2024-1212, CVE-2024-0012, and CVE-2024-9474 to the Known Exploited Vulnerabilities Catalog highlights the active and ongoing nature of threats targeting critical infrastructure. Cybercriminals are increasingly targeting vulnerabilities in widely used enterprise tools like load balancers and firewalls, aiming to exploit weak points that could lead to full system compromises or privilege escalation.

Organizations that use affected products, such as Progress Kemp LoadMaster or Palo Alto Networks’ PAN-OS, are strongly encouraged to apply the necessary patches and follow best practices for securing management interfaces. By taking these steps, they can mitigate the risk of exploitation and protect their systems.

Sources:

• https://www.cisa.gov/news-events/alerts/2024/11/18/cisa-adds-three-known-exploited-vulnerabilities-catalog
• https://security.paloaltonetworks.com/CVE-2024-0012
• https://community.progress.com/s/products/loadmaster
• https://security.paloaltonetworks.com/CVE-2024-9474

Related