KQL Search

Query Details

HomeAI ToolsDevice Query

CVE 2024 0012 PAN OS Authentication Bypass In The Management Web Interface

Query

// CVE-2024-0012 PAN-OS - Authentication Bypass in the Management Web Interface

// An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities. The following detects for version affected by CVE-2024-0012

let AffectedPANOS = dynamic(["11.2.0-h1","11.2.1-h1","11.2.2-h2","11.2.3-h3","11.1.0-h4","11.1.1-h2","11.1.2-h15","11.1.3-h11","11.1.4-h7","11.0.0-h4","11.0.1-h5","11.0.2-h5","11.0.3-h13","11.0.4-h6","11.0.5-h2","11.0.0-h4","11.0.1-h5","11.0.2-h5","11.0.3-h13","11.0.4-h6","11.0.5-h2","10.2.0-h4","10.2.1-h3","10.2.2-h6","10.2.3-h14","10.2.4-h32","10.2.5-h9","10.2.6-h6","10.2.7-h18","10.2.8-h15","10.2.9-h16","10.2.10-h9","10.2.11-h6"]);
CommonSecurityLog
| where DeviceProduct == "PAN-OS"
| where DeviceVersion has_any(AffectedPANOS)
| distinct Computer                           //Vulnerable Palo Alto Firewall

Explanation

This query is designed to identify Palo Alto Networks PAN-OS devices that are vulnerable to a specific security issue, CVE-2024-0012, which allows attackers to bypass authentication on the management web interface. Here's a simple summary of what the query does:

  1. Define Vulnerable Versions: It lists specific versions of PAN-OS software that are known to be affected by this vulnerability.

  2. Filter Logs: It searches through security logs (CommonSecurityLog) for entries related to PAN-OS devices.

  3. Check for Vulnerability: It filters these entries to find devices running any of the vulnerable versions listed.

  4. Identify Affected Devices: It outputs a list of distinct devices (firewalls) that are potentially vulnerable, based on their software version.

In essence, this query helps identify which Palo Alto firewalls in your network might be at risk due to this authentication bypass vulnerability.

Details

Steven Lim profile picture

Steven Lim

Released: November 18, 2024

Tables

CommonSecurityLog

Keywords

CVEPANOSAuthenticationBypassManagementWebInterfacePaloAltoNetworksAdministratorPrivilegesConfigurationVulnerabilitiesVersionDeviceProductDeviceVersionComputer

Operators

letdynamicwherehas_anydistinct

Actions