CVE-2024-9474: 
PAN-OS vulnerability analysis and mitigation

A privilege escalation vulnerability (CVE-2024-9474) was discovered in Palo Alto Networks PAN-OS software that allows a PAN-OS administrator with access to the management web interface to perform actions on the firewall with root privileges. The vulnerability affects PAN-OS versions 10.1, 10.2, 11.0, 11.1, and 11.2 software on PA-Series, VM-Series, and CN-Series firewalls and on Panorama (virtual and M-Series) and WildFire appliances. Cloud NGFW and Prisma Access are not impacted by this vulnerability (Palo Advisory).

The vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command Injection). It has a CVSS v4.0 base score of 6.9 MEDIUM when exposed to the internet, and 5.9 when access is restricted to trusted IP addresses. The vulnerability allows command injection through shell metacharacters in the username parameter that gets passed to the AuditLog.write() function and eventually to pexecute() without proper sanitization (Watchtowr Labs).

If exploited, this vulnerability allows an authenticated administrator to execute commands with root privileges on the affected firewall. The risk is highest when the management interface is accessible from external IP addresses on the internet, allowing malicious administrators to tamper with system integrity (Palo Advisory).

The vulnerability is fixed in PAN-OS 10.1.14-h6, PAN-OS 10.2.12-h2, PAN-OS 11.0.6-h1, PAN-OS 11.1.5-h1, PAN-OS 11.2.4-h1, and all later PAN-OS versions. As a workaround, Palo Alto Networks strongly recommends restricting access to the management interface to only trusted internal IP addresses to prevent external access from the internet. The vast majority of firewalls already follow these best practices (Palo Advisory).