Palo Alto Networks Security Advisories / CVE-2016-3655

CVE-2016-3655 Unauthenticated Command Injection in Management Web Interface

047910
Severity 9.8 · CRITICAL
Attack Vector NETWORK
Attack Complexity LOW
Privileges Required NONE
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact HIGH
Integrity Impact HIGH
Availability Impact HIGH

Description

Palo Alto Networks PAN-OS implements an API to enable programmatic device configuration and administration of the device. An issue was identified where the management API incorrectly parses input to a specific API call, leading to execution of arbitrary OS commands without authentication via the management interface. (Ref. #89717) (CVE-2016-3655)

This issue can be exploited remotely by an unauthenticated user with network access to the device management web-based API

This issue affects PAN-OS releases 5.0.17 and prior; 6.0.12 and prior; 6.1.9 and prior; 7.0.4 and prior

Product Status

VersionsAffectedUnaffected
PAN-OS 7.0<= 7.0.4>= 7.0.5
PAN-OS 6.1<= 6.1.9>= 6.1.10
PAN-OS 6.0<= 6.0.12>= 6.0.13
PAN-OS 5.0<= 5.0.17>= 5.0.18

Severity: CRITICAL

CVSSv3.1 Base Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Weakness Type

CWE-20 Improper Input Validation

Solution

PAN-OS releases 5.0.18 and newer; 6.0.13 and newer; 6.1.10 and newer; 7.0.5 and newer

Workarounds and Mitigations

Emergency content update 563 contains an IPS signature (#38904) that can be used as an interim mitigation to protect PAN-OS devices until the device software is upgraded. Note that signatures 38904 must be applied to a firewall rule securing traffic destined for the device management web interface, and decryption must be applied. This issue is further mitigated by following security appliance management best practices, requiring that network access to the management interfaces be isolated and strictly limited only to security administration personnel.

Acknowledgments

Felix Wilhelm, ERNW Research
© 2020 Palo Alto Networks, Inc. All rights reserved.