CVE-2024-0012 PAN-OS - Authentication Bypass in the Management Web In…

…terface.kql
SlimKQL · Nov 18, 2024 · 161f3d7 · 161f3d7
1 parent a75d361
commit 161f3d7
Showing 1 changed file with 9 additions and 0 deletions.
diff --git a/Sentinel/CVE-2024-0012 PAN-OS - Authentication Bypass in the Management Web Interface.kql b/Sentinel/CVE-2024-0012 PAN-OS - Authentication Bypass in the Management Web Interface.kql
@@ -0,0 +1,9 @@
+// CVE-2024-0012 PAN-OS - Authentication Bypass in the Management Web Interface
+
+// An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities. The following detects for version affected by CVE-2024-0012
+
+let AffectedPANOS = dynamic(["11.2.0-h1","11.2.1-h1","11.2.2-h2","11.2.3-h3","11.1.0-h4","11.1.1-h2","11.1.2-h15","11.1.3-h11","11.1.4-h7","11.0.0-h4","11.0.1-h5","11.0.2-h5","11.0.3-h13","11.0.4-h6","11.0.5-h2","11.0.0-h4","11.0.1-h5","11.0.2-h5","11.0.3-h13","11.0.4-h6","11.0.5-h2","10.2.0-h4","10.2.1-h3","10.2.2-h6","10.2.3-h14","10.2.4-h32","10.2.5-h9","10.2.6-h6","10.2.7-h18","10.2.8-h15","10.2.9-h16","10.2.10-h9","10.2.11-h6"]);
+CommonSecurityLog
+| where DeviceProduct == "PAN-OS"
+| where DeviceVersion has_any(AffectedPANOS)
+| distinct Computer                           //Vulnerable Palo Alto Firewall