Written By: Ferdi Gül & Ferhat Dikbiyik

Welcome to this week’s Focus Friday blog, where we continue to explore high-profile cybersecurity incidents through the lens of Third-Party Risk Management (TPRM). As organizations grapple with an ever-evolving threat landscape, vulnerabilities in critical infrastructure remain a constant concern. This week, we focus on the PAN-OS Cleartext vulnerability (CVE-2024-8687) and its impact on third-party risk postures.

But that’s not all. Stay tuned as we hint at something new and exciting that’s coming soon from Black Kite—something that promises to take your TPRM capabilities to the next level. More details later in the blog!

 Filtered view of companies with a PAN-OS Cleartext FocusTag™ on the Black Kite platform.

CVE-2024-8687: PAN-OS Cleartext Vulnerability

What is the PAN-OS Cleartext Exposure Vulnerability?

CVE-2024-8687 is a medium-severity vulnerability affecting PAN-OS, GlobalProtect, and Prisma Access, with a CVSS score of 6.9 and an EPSS score of 0.04%. This vulnerability exposes GlobalProtect uninstall and disable passcodes in cleartext, potentially allowing unauthorized users to bypass security measures and uninstall or disable the GlobalProtect app. While it has not been added to CISA’s KEV catalog, threat actors are actively exploiting it in the wild.

As the landscape of cyber threats grows more complex, traditional methods of tracking and managing vendor risks may no longer suffice. Black Kite has something in store to address this challenge—but more on that soon.

Why Should TPRM Professionals Care About This Vulnerability?

TPRM professionals must monitor this vulnerability, as it could lead to unauthorized network access or system manipulation. Organizations that rely on PAN-OS or GlobalProtect to safeguard access to sensitive systems are particularly at risk. If this vulnerability is exploited, it could lead to significant security bypasses, including exposing networks to malicious actors.

In an environment where speed and accuracy are critical, staying ahead of vulnerabilities like the PAN-OS Cleartext exposure requires more than just reactive measures. Black Kite is working on something that could help organizations take a more proactive and collaborative approach. Stay tuned.

What Questions Should TPRM Professionals Ask Vendors About the Vulnerability?

  • Have you applied the security updates for PAN-OS to the specific recommended versions (11.0.1, 10.2.4, 10.1.9, 10.0.12, 9.1.16) to mitigate CVE-2024-8687?
  • Have you ensured that GlobalProtect passcodes for uninstalling or disabling the app are now securely encrypted and no longer exposed in cleartext?
  • What multi-factor authentication (MFA) solutions have you integrated with PAN-OS and GlobalProtect to prevent unauthorized users from exploiting cleartext passcodes?
  • How are you ensuring that sensitive passcodes are not exposed in cleartext?

Remediation Recommendations for Vendors

  • Upgrade PAN-OS and GlobalProtect to their latest versions: PAN-OS 11.0.1, 10.2.4, 10.1.9, 10.0.12, 9.1.16, and GlobalProtect 6.2.1 or later.
  • Configure stronger passcode policies and prevent cleartext exposure.
  • Implement multi-factor authentication and restrict local device access.
  • Regularly review and monitor GlobalProtect portal configurations for vulnerabilities.

The time and resources required to address vulnerabilities can overwhelm organizations. But what if there was a way to streamline communication and remediation efforts with vendors? We’ll be introducing a solution that tackles just that—keep reading!

How TPRM Professionals Can Leverage Black Kite for This Vulnerability

Black Kite provides FocusTags to help TPRM professionals identify vendors affected by CVE-2024-8687. With detailed asset information, such as IP addresses and exposed subdomains, TPRM professionals can prioritize response efforts. The FocusTag for this vulnerability, released on September 12, 2024, allows timely and informed action, enhancing vendor ecosystem security.

Black Kite’s PAN-OS Cleartext FocusTagTM details critical insights on the event for TPRM professionals.

Enhancing TPRM Strategies with Black Kite’s FocusTags™

In an environment where cyber threats evolve at a rapid pace, organizations must remain proactive in their Third-Party Risk Management (TPRM) efforts. Black Kite’s FocusTags™ offers an invaluable resource, transforming complex cybersecurity threats into actionable risk intelligence.

While FocusTags™ provide a powerful way to manage risk in real time, Black Kite is working on something even bigger—an innovation that will make the process of closing the gap between risk intelligence and action faster, more collaborative, and more efficient.

Stay with us for more information on this game-changing feature in the next section.

Introducing What’s Next: Black Kite Bridge™

For years, Black Kite has led the way in helping TPRM professionals turn cybersecurity threats into actionable risk intelligence. Now, we’re about to take things to the next level.

Imagine being able to close the gap between risk intelligence and action, streamlining vendor collaboration, communication, and remediation tracking—without relying on traditional, manual methods. That’s the vision behind Black Kite Bridge™.

Launching soon, this innovative feature will empower organizations to identify, share, and track vendor risks in near-real time, turning risk management into a seamless, proactive process. Stay tuned for more details, and prepare to elevate your TPRM capabilities.

For our customers, click here to access a sneak peek video.



Want to take a closer look at FocusTags™?


Take our platform for a test drive and request a demo today.




About Focus Friday

Every week, we delve into the realms of critical vulnerabilities and their implications from a Third-Party Risk Management (TPRM) perspective. This series is dedicated to shedding light on pressing cybersecurity threats, offering in-depth analyses, and providing actionable insights.

FocusTags™ in the Last 30 Days:

  • PAN-OS Cleartext: CVE-2024-8687, Cleartext Exposure Security Flaw in PAN-OS, GlobalProtect, Prisma Access.
  • FileCatalyst Workflow: CVE-2024-6633, CVE-2024-6632, Insecure Default Configuration and SQL Injection Vulnerability in Fortra FileCatalyst Workflow.
  • WPML: CVE-2024-6386, Critical Remote Code Execution Vulnerability via Twig Server-Side Template Injection in WPML Plugin
  • SonicWall Firewalls: CVE-2024-40766, Critical Improper Access Control Vulnerability in SonicWall Firewalls
  • Dahua IP Camera: CVE-2021-33045, CVE-2021-33044, Critical Authentication Bypass Vulnerabilities in Dahua IP Camera Systems
  • Microsoft Privilege Escalation Vulnerability: CVE-2024-38193, CVE-2024-38106, CVE-2024-38107, Critical Privilege Escalation Vulnerabilities in Microsoft Windows
  • SolarWinds WHD: CVE-2024-28986, Critical Remote Code Execution Vulnerability in SolarWinds Web Help Desk
  • Zimbra LFI: CVE-2024-33535, Local File Inclusion Vulnerability in Zimbra Collaboration Suite
  • Exchange Server RCE: CVE-2021-31196, CVE-2021-34473, Remote Code Execution Vulnerabilities in Microsoft Exchange Server
  • Zabbix: CVE-2024-22116, Critical Remote Code Execution Vulnerability in Zabbix Monitoring Solution
  • Jenkins ClassLoaderProxy: CVE-2024-43044, Arbitrary File Read and Remote Code Execution Vulnerability in Jenkins ClassLoaderProxy
  • Dahua NVR4: CVE-2024-39944, CVE-2024-39948, and CVE-2024-39949, Remote Code Execution, Authentication Bypass, and Improper Access Control Vulnerabilities in Dahua NVR4 devices
  • VMware ESXi: CVE-2024-37085, Authentication Bypass Vulnerability in VMware ESXi, VMware Cloud Foundation

References

https://nvd.nist.gov/vuln/detail/CVE-2024-8687

https://security.paloaltonetworks.com/CVE-2024-8687

https://securityonline.info/pan-os-vulnerabilities-command-injection-cve-2024-8686-and-globalprotect-exposure-cve-2024-8687