Palo Alto released patches to address several vulnerabilities discovered in their products, if exploited, could allow unauthorized access, data breaches, and disruption of services.
A range of vulnerabilities affecting various Palo Alto Networks products, including PAN-OS, GlobalProtect, Cortex XDR, and others. The most critical vulnerabilities are CVE-2024-8686 and CVE-2024-8687.
CVE-2024-8686: Command Injection Vulnerability in PAN-OS with a CVSS 8.6
This vulnerability affects PAN-OS and could enable an authenticated administrator to bypass system restrictions and execute arbitrary commands as root on the firewall. This vulnerability could allow an attacker to gain complete control over the affected system, potentially leading to a devastating compromise.
Affected Versions:
- PAN-OS 11.2: Versions prior to 11.2.3 are affected
To mitigate this vulnerability, administrators are urged to upgrade to PAN-OS 11.2.3 or later versions.
CVE-2024-8687: GlobalProtect Cleartext Exposure with a CVSS 6.9
This vulnerability impacts PAN-OS and GlobalProtect and could expose sensitive information, such as GlobalProtect, uninstall passwords, and disable or disconnect passcodes. This vulnerability could enable end-users to bypass security measures and uninstall, disable, or disconnect GlobalProtect, even if their configuration doesn’t permit them to do so.
Affected Versions:
- Versions prior to 6.2.1, 6.1.2, 6.0.7, 5.2.13, and 5.1.12 are vulnerable.
Users are advised to update to the latest versions of GlobalProtect to prevent exploitation.
The other vulnerabilities patched, including cleartext exposure of credentials, arbitrary file read vulnerabilities, and user impersonation issues. These vulnerabilities, while not as critical as the aforementioned ones, still pose a significant risk to organizations’ security and should be addressed promptly.
Palo Alto Networks has released patches and updates to mitigate these vulnerabilities, and customers can apply them immediately. It also provides detailed instructions and workarounds for those who cannot immediately apply the patches.
