CVE-2015-7547 Glibc DNS Resolver Vulnerability
A vulnerability in the GNU libc (glibc) DNS resolver allows remote code execution (CVE-2015-7547). However, this issue can be exploited only from a DNS server that is under the control of an attacker. (Ref # 91886).
This glibc issue is only exploitable by an attacker controlling the DNS server configured for the device. Furthermore, the attacker must overcome additional anti-exploitation mitigations, such as ASLR, to mount a successful attack.
This issue affects PAN-OS 5.0.19 and earlier; PAN-OS 5.1.12 and earlier; PAN-OS 6.0.14 and earlier; PAN-OS 6.1.12 and earlier; PAN-OS 7.0.7 and earlier; PAN-OS 7.1.3 and earlier
|PAN-OS 7.1||<= 7.1.3||>= 7.1.4|
|PAN-OS 7.0||<= 7.0.7||>= 7.0.8|
|PAN-OS 6.1||<= 6.1.12||>= 6.1.13|
|PAN-OS 6.0||<= 6.0.14||>= 6.0.15|
|PAN-OS 5.1||<= 5.1.12||>= 5.1.13|
|PAN-OS 5.0||<= 5.0.19||>= 5.0.20|
CVSSv3.1 Base Score:8.1 (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
PAN-OS 5.0.20 and later; PAN-OS 5.1.13 and later; PAN-OS 6.0.15 and later; PAN-OS 6.1.13 and later; PAN-OS 7.0.8 and later; PAN-OS 7.1.4 and later
Workarounds and Mitigations
This vulnerability can affect PAN-OS software only when the device is configured with a DNS server that is under the control of an attacker. Palo Alto Networks discourages configuring the device with untrusted DNS servers.