https://live.paloaltonetworks.com/t5/next-generation-firewall/cve-2024-9474-pan-os-privilege-escalation-pe-vulnerability-in/m-p/623440#M5022 <P>Hello V. Benfanti,</P> <P>On the one hand, you have to stay in the 10.2 tree with the PA-220, as this is the last version that supports the hardware platform.<BR />Furthermore, the bug in 10.2.10-h7 is not yet fixed and you would have to switch to a fixed version at this point, in this case 10.2.12-h2.<BR />Alternatively, please check whether you have followed the best practice regarding the protection of MGMT interfaces.<BR />See here: <A href="https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431" target="_blank">https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431</A><BR />As you can reduce the CVE to a 5.9.</P> <P>Furthermore, please check if you have installed the Conntent version 8915-9075, so that the attacks can be recognized by the firewall (Threat IDs 95746, 95747, 95752, 95753, 95759, and 95763).</P> <P>Best regards</P> Mon, 18 Nov 2024 16:23:57 GMT SeSchulte 2024-11-18T16:23:57Z https://live.paloaltonetworks.com/t5/next-generation-firewall/cve-2024-9474-pan-os-privilege-escalation-pe-vulnerability-in/m-p/623299#M5021 <P>Hello!<BR />I just received and was reading this email&nbsp;<A href="https://security.paloaltonetworks.com/CVE-2024-9474" target="_blank">CVE-2024-9474 PAN-OS: Privilege Escalation (PE) Vulnerability in the Web Management Interface</A>&nbsp;and if I'm reading it right, the guidance is to upgrade to&nbsp;<SPAN>10.2.12-h2 or greater (I'm on a PA-220, 11 is not supported). I've been trying to stick with the&nbsp;<STRONG>Preferred</STRONG> versions here&nbsp;<A href="https://live.paloaltonetworks.com/t5/customer-resources/support-pan-os-software-release-guidance/ta-p/258304" target="_blank">Support PAN-OS Software Release Guidance</A>&nbsp;and the latest Preferred version is&nbsp;10.2.10-h7 which I believe is vulnerable. Do I have that right???&nbsp; Thanks!<BR /></SPAN></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="VBenfanti_0-1731943900461.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/64052iEEEF77AED2611894/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="VBenfanti_0-1731943900461.png" alt="VBenfanti_0-1731943900461.png" /></span></P> <P>&nbsp;</P> Mon, 18 Nov 2024 15:37:17 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/cve-2024-9474-pan-os-privilege-escalation-pe-vulnerability-in/m-p/623299#M5021 V.Benfanti 2024-11-18T15:37:17Z https://live.paloaltonetworks.com/t5/next-generation-firewall/cve-2024-9474-pan-os-privilege-escalation-pe-vulnerability-in/m-p/623440#M5022 <P>Hello V. Benfanti,</P> <P>On the one hand, you have to stay in the 10.2 tree with the PA-220, as this is the last version that supports the hardware platform.<BR />Furthermore, the bug in 10.2.10-h7 is not yet fixed and you would have to switch to a fixed version at this point, in this case 10.2.12-h2.<BR />Alternatively, please check whether you have followed the best practice regarding the protection of MGMT interfaces.<BR />See here: <A href="https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431" target="_blank">https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431</A><BR />As you can reduce the CVE to a 5.9.</P> <P>Furthermore, please check if you have installed the Conntent version 8915-9075, so that the attacks can be recognized by the firewall (Threat IDs 95746, 95747, 95752, 95753, 95759, and 95763).</P> <P>Best regards</P> Mon, 18 Nov 2024 16:23:57 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/cve-2024-9474-pan-os-privilege-escalation-pe-vulnerability-in/m-p/623440#M5022 SeSchulte 2024-11-18T16:23:57Z https://live.paloaltonetworks.com/t5/next-generation-firewall/cve-2024-9474-pan-os-privilege-escalation-pe-vulnerability-in/m-p/627804#M5032 <P>IS Pan OS 9.1 vulnerable?&nbsp; The advisory does not state.&nbsp;</P> Tue, 19 Nov 2024 18:06:04 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/cve-2024-9474-pan-os-privilege-escalation-pe-vulnerability-in/m-p/627804#M5032 Ecaballero 2024-11-19T18:06:04Z https://live.paloaltonetworks.com/t5/next-generation-firewall/cve-2024-9474-pan-os-privilege-escalation-pe-vulnerability-in/m-p/627820#M5034 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/115758">@Ecaballero</a>,</P> <P>It seems likely that it is since this covers all presently supported versions of PAN-OS. Since 9.1 is EoL and the PA-3000 series also went EoL here a couple of weeks ago there's zero support for that build anymore. I'd highly recommend that you secure the management port and&nbsp; getting that equipment replaced.</P> Tue, 19 Nov 2024 18:15:23 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/cve-2024-9474-pan-os-privilege-escalation-pe-vulnerability-in/m-p/627820#M5034 BPry 2024-11-19T18:15:23Z https://live.paloaltonetworks.com/t5/next-generation-firewall/cve-2024-9474-pan-os-privilege-escalation-pe-vulnerability-in/m-p/628315#M5035 <P>Hello&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/115758">@Ecaballero</a>&nbsp;- PanOS 9.1 is not vulnerable to this issue. However it is strongly advised to move off 9.1 as this is no longer a supported release.&nbsp;</P> Tue, 19 Nov 2024 22:58:00 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/cve-2024-9474-pan-os-privilege-escalation-pe-vulnerability-in/m-p/628315#M5035 iarobertson 2024-11-19T22:58:00Z