Palo Alto Networks Security Advisories / CVE-2016-3656

CVE-2016-3656 Unauthenticated Stack Exhaustion in GlobalProtect/SSL VPN Web Interface

047910
Severity 7.5 · HIGH
Attack Vector NETWORK
Attack Complexity LOW
Privileges Required NONE
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact NONE
Integrity Impact NONE
Availability Impact HIGH

Description

When a PAN-OS device is configured as a GlobalProtect web portal, a specially crafted request to the portal could result in a crash of the service. (Ref. #89750) (CVE-2016-3656)

This issue can be exploited remotely by an attacker with network access to the GlobalProtect portal in order to cause a denial-of-service (DoS) via a service crash.

This issue affects PAN-OS releases 5.0.17 and prior; 6.0.12 and prior; 6.1.9 and prior; 7.0.5 and prior

Product Status

VersionsAffectedUnaffected
PAN-OS 7.0<= 7.0.5>= 7.0.5H2
PAN-OS 6.1<= 6.1.9>= 6.1.10
PAN-OS 6.0<= 6.0.12>= 6.0.13
PAN-OS 5.0<= 5.0.17>= 5.0.18

Severity: HIGH

CVSSv3.1 Base Score: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

Weakness Type

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

Solution

PAN-OS releases 5.0.18 and newer; 6.0.13 and newer; 6.1.10 and newer; 7.0.5H2 and newer

Workarounds and Mitigations

Emergency content update 563 contains an IPS signature (#38903) that can be used as an interim mitigation to protect PAN-OS devices until the device software is upgraded. Note that signatures 38903 must be applied to a firewall rule securing traffic destined for the GlobalProtect portal. The GlobalProtect portal should only be present once per installation, limiting the organization’s exposure to this issue. This issue can be further mitigated by disabling the affected optional “login page” in the GlobalProtect portal configuration, and distribution of the client side software may be performed through alternative means such as GPO or network share while the PAN-OS patch is applied.

Acknowledgments

Felix Wilhelm, ERNW Research
© 2020 Palo Alto Networks, Inc. All rights reserved.