WARNING: AUTHENTICATION BYPASS VULNERABILITY IN PAN-OS SOFTWARE, PATCH IMMEDIATELY!
CVE-2025-0108: CVSS-B: 8.8 (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/AU:N/R:U/V:C/RE:M/U:Amber)
Update 2025-02-20:
CVE-2025-0111: CVSS-B: 7.1 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/AU:N/R:U/V:C/RE:M/U:Red)
CVE-2024-9474: CVSS-B: 6.9 (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/AU:N/R:U/V:C/RE:H/U:Red) previously reported in advisory #2024-269
Update 2025-02-21:
CVE-2025-0110: CVSS-B: 8.6 (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/AU:N/R:U/V:C/RE:M/U:Amber)
Bronnen
Official Vendor: https://security.paloaltonetworks.com/CVE-2025-0108
Update 2025-02-20
- https://security.paloaltonetworks.com/CVE-2025-0111
- https://security.paloaltonetworks.com/CVE-2024-9474
Risico’s
CVE-2025-0108 Authentication Bypass CVSS-B 8.8
Due to a missing authentication for a critical function in the PAN-OS software, CWE-306, an unauthenticated attacker with access to the management web interface can bypass the required authentication. Palo Alto did not release technical details about this vulnerability.
Update 2025-02-20
CVE-2025-0111, CVSS-B 7.1
An authenticated attacker with access to the management web interface can read files on the PAN-OS filesystem that are readable by the “nobody” user.
CVE-2024-9474, CVSS-B 6.9
Previously reported vulnerability (see Advisory #2024-269), allows privilege escalation to the PAN-OS management interface, allowing an attacker to execute actions on the firewall with root privileges.
To exploit these vulnerabilities, an attacker needs access to the PAN-OS device's management interface, which should never be internet-facing, to reduce the attack vector.
Update 2025-02-21
CVE-2025-0110 CVSS-B 8.6
A vulnerability in PAN-OS OpenConfig allows an authenticated user to run arbitrary bash commands on the underlying OS via gnmi.Subscribe. The commands are run as device administrator.
Beschrijving
CVE-2025-0108 Authentication Bypass CVSS-B 8.8
Due to a missing authentication for a critical function in the PAN-OS software, CWE-306, an unauthenticated attacker with access to the management web interface can bypass the required authentication. Palo Alto did not release technical details about this vulnerability.
Update 2025-02-20
CVE-2025-0111, CVSS-B 7.1
An authenticated attacker with access to the management web interface can read files on the PAN-OS filesystem that are readable by the “nobody” user.
CVE-2024-9474, CVSS-B 6.9
Previously reported vulnerability (see Advisory #2024-269), allows privilege escalation to the PAN-OS management interface, allowing an attacker to execute actions on the firewall with root privileges.
To exploit these vulnerabilities, an attacker needs access to the PAN-OS device's management interface, which should never be internet-facing, to reduce the attack vector.
Aanbevolen acties
Patch
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority after thorough testing.
- PAN-OS 10.1: Upgrade to 10.1.14-h9 or later
- PAN-OS 10.2: Upgrade to 10.2.13-h3 or later
- PAN-OS 11.0 (End-of-Life): Upgrade to a supported fixed version
- PAN-OS 11.1: Upgrade to 11.1.6-h1 or later
- PAN-OS 11.2: Upgrade to 11.2.4-h4 or later
Limit Exposure
The CCB recommends removing access from the internet to the PAN-OS management interface to significantly reduce the chances of exploitation for the mentioned vulnerabilities and any future ones.
Monitor/Detect
The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
In case of an intrusion, you can report an incident via https://ccb.belgium.be/en/cert/report-incident.
While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
Referenties
NIST NVD:
- https://nvd.nist.gov/vuln/detail/CVE-2025-0108
- https://nvd.nist.gov/vuln/detail/CVE-2025-0111
- https://nvd.nist.gov/vuln/detail/CVE-2024-9474
Cybersecuritynews - https://cybersecuritynews.com/google-released-poc-exploit-for-palo-alto-firewall/