CVE-2024-0012

Solution:

• We strongly recommend that you secure access to your management interface following the instructions in the workarounds section below. This issue is fixed in PAN-OS 10.2.12-h2, PAN-OS 11.0.6-h1, PAN-OS 11.1.5-h1, PAN-OS 11.2.4-h1, and all later PAN-OS versions. In addition, in an attempt to provide the most seamless upgrade path for our customers, we are making fixes available for other TAC-preferred and commonly deployed maintenance releases. * Additional PAN-OS 11.2 fixes: * ​​11.2.0-h1 * 11.2.1-h1 * 11.2.2-h2 * 11.2.3-h3 * 11.2.4-h1 * Additional PAN-OS 11.1 fixes: * 11.1.0-h4 * 11.1.1-h2 * 11.1.2-h15 * 11.1.3-h11 * 11.1.4-h7 * 11.1.5-h1 * Additional PAN-OS 11.0 fixes: * 11.0.0-h4 * 11.0.1-h5 * 11.0.2-h5 * 11.0.3-h13 * 11.0.4-h6 * 11.0.5-h2 * 11.0.6-h1 * Additional PAN-OS 10.2 fixes: * 10.2.0-h4 * 10.2.1-h3 * 10.2.2-h6 * 10.2.3-h14 * 10.2.4-h32 * 10.2.5-h9 * 10.2.6-h6 * 10.2.7-h18 * 10.2.8-h15 * 10.2.9-h16 * 10.2.10-h9 * 10.2.11-h6 * 10.2.12-h2

Workaround:

• Recommended mitigation—The vast majority of firewalls already follow Palo Alto Networks and industry best practices. However, if you haven’t already, we strongly recommend that you secure access to your management interface according to our best practice deployment guidelines. Specifically, you should restrict access to the management interface to only trusted internal IP addresses to prevent external access from the internet. Additionally, if you have a Threat Prevention subscription, you can block these attacks using Threat IDs 95746, 95747, 95752, 95753, 95759, and 95763 (available in Applications and Threats content version 8915-9075 and later). For these Threat IDs to protect against attacks for this vulnerability, * Ensure that all the listed Threat IDs are set to block mode, * Route incoming traffic for the MGT port through a DP port https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices#id59206398-3dab-4b2f-9b4b-7ea500d036ba , e.g., enabling management profile on a DP interface for management access, * Replace the Certificate for Inbound Traffic Management https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices#id112f7714-8995-4496-bbf9-781e63dec71c , * Decrypt inbound traffic to the management interface so the firewall can inspect it https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices#idbbd82587-17a2-42b4-9245-d3714e1e13a2 , and * Enable threat prevention on the inbound traffic to management services. Review information about how to secure management access to your Palo Alto Networks firewalls: * Palo Alto Networks LIVEcommunity article:  https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 * Palo Alto Networks official and more detailed technical documentation:  https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices