Palo Alto Networks Security Advisories / CVE-2016-4971

CVE-2016-4971 WGET Vulnerability

047910
Severity 8.8 · HIGH
Attack Vector NETWORK
Attack Complexity LOW
Privileges Required NONE
User Interaction REQUIRED
Scope UNCHANGED
Confidentiality Impact HIGH
Integrity Impact HIGH
Availability Impact HIGH

Description

The wget library has been found to contain a vulnerability (CVE 2016-4971). wget allows remote servers to write to arbitrary files by redirecting a request from HTTP to a crafted FTP resource. Palo Alto Networks software makes use of the vulnerable library and may be affected. (Ref # PAN-59677/ CVE 2016-4971)

Successfully exploiting this issue would require an attacker to be authenticated on the Management Interface.

This issue affects PAN-OS 6.1.16 and earlier, PAN-OS 7.0.14 and earlier, PAN-OS 7.1.9 and earlier, PAN-OS 8.0

Product Status

VersionsAffectedUnaffected
PAN-OS 8.0None>= 8.0.1
PAN-OS 7.1<= 7.1.9>= 7.1.10
PAN-OS 7.0<= 7.0.14>= 7.0.15
PAN-OS 6.1<= 6.1.16>= 6.1.17

Severity: HIGH

CVSSv3.1 Base Score: 8.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Weakness Type

CWE-254

Solution

PAN-OS 6.1.17 and later, PAN-OS 7.0.15 and later, PAN-OS 7.1.10 and later, PAN-OS 8.0.1 and later

Workarounds and Mitigations

Palo Alto Networks recommends to implement best practice by allowing web interface access only to a dedicated management network. Additionally, restrict the set of IP addresses to a subset of authorized sources that you allow to interact with the management network.

© 2020 Palo Alto Networks, Inc. All rights reserved.