Attacker Value
High
(1 user assessed)
Exploitability
High
(1 user assessed)
User Interaction
None
Privileges Required
High
Attack Vector
Network
1

CVE-2024-9474

Disclosure Date: November 18, 2024
CVE-2024-9474 CVSS v3 Base Score: 7.2
Exploited in the Wild
Reported by cbeek-r7 and 2 more...
View Source Details
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

A privilege escalation vulnerability in Palo Alto Networks PAN-OS software allows a PAN-OS administrator with access to the management web interface to perform actions on the firewall with root privileges.

Cloud NGFW and Prisma Access are not impacted by this vulnerability.

Add Assessment

1
Ratings
  • Attacker Value
    High
  • Exploitability
    High
Easy to weaponizeGives privileged accessVulnerable in default configurationAuthenticated
Technical Analysis

CVE-2024-9474 was exploited in the wild as part of an exploit chain, paired with the authentication bypass CVE-2024-0012, to allow for unauthenticated RCE. On its own, CVE-2024-9474 would require authentication.

A technical analysis of CVE-2024-9474 shows this vulnerability is a command injection, allowing an attacker to execute arbitrary OS commands with root privileges.

An attacker can make a POST request to the /php/utils/createRemoteAppwebSession.php endpoint, which will create a new PHP session, returning a new PHPSESSID cookie. This POST request allows an attacker to supply an arbitrary username for the new session. The username value will be stored in a session object. A second HTTP request, for example to /index.php, can then trigger the command injection when the function AuditLog.write is called, and the poisoned username value from the new session is passed to a call to pexecute, and a command injection can be achieved.

A Metasploit exploit module for the exploit chain comprising of the auth bypass CVE-2024-0012, and the command injection CVE-2024-9474 is available. Based on writing this exploit module, I have rated both the attacker value, and the exploitability of this as high, as a target PAN-OS management interface is vulnerable in a default configuration, and compromising a PAN-OS device is a high value target for an attacker, however this vulnerability is authenticated so needs to be paired with an auth bypass.

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
7.2 High
Impact Score:
5.9
Exploitability Score:
1.2
Vector:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
High
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
remote
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Unknown
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • paloaltonetworks

Products

  • pan-os,
  • pan-os 10.1.14,
  • pan-os 10.2.12,
  • pan-os 11.0.6,
  • pan-os 11.1.5,
  • pan-os 11.2.4

Exploited in the Wild

Reported by:

References

Canonical
CVE-2024-9474 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-9474)
Exploit
PoCs that have not been added by contributors directly have been sourced from: nomi-sec/PoC-in-GitHub.
A PoC added here by the AKB Worker must have at least 2 GitHub stars.
CVE-2024-9474 (https://github.com/Chocapikk/CVE-2024-9474) (Added by AKB Worker)
Miscellaneous
https://security.paloaltonetworks.com/CVE-2024-9474

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Very Long
Userbase/Installbase
Very Large
Patch Effectiveness
Unknown
Technical Analysis