Get supportSecurity advisories
Subscriptions
Report vulnerabilities
Palo Alto Networks Security Advisories / CVE-2016-4971

CVE-2016-4971 WGET Vulnerability


Severity 8.8 · HIGH
Attack Vector NETWORK
Attack Complexity LOW
Privileges Required NONE
User Interaction REQUIRED
Scope UNCHANGED
Confidentiality Impact HIGH
Integrity Impact HIGH
Availability Impact HIGH
NVD JSON
Published: 2017-05-23
Updated: 2017-05-23
Ref#: PAN-59677 and 2016-4971 PAN-SA-2017-0016

Description

The wget library has been found to contain a vulnerability (CVE 2016-4971). wget allows remote servers to write to arbitrary files by redirecting a request from HTTP to a crafted FTP resource. Palo Alto Networks software makes use of the vulnerable library and may be affected. (Ref # PAN-59677/ CVE 2016-4971)

Successfully exploiting this issue would require an attacker to be authenticated on the Management Interface.

This issue affects PAN-OS 6.1.16 and earlier, PAN-OS 7.0.14 and earlier, PAN-OS 7.1.9 and earlier, PAN-OS 8.0

Product Status

PAN-OS

VersionsAffectedUnaffected
6.1<= 6.1.16>= 6.1.17
7.0<= 7.0.14>= 7.0.15
7.1<= 7.1.9>= 7.1.10
8.0>= 8.0.1

Severity: HIGH

CVSSv3.1 Base Score: 8.8 ( CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H )

Solution

PAN-OS 6.1.17 and later, PAN-OS 7.0.15 and later, PAN-OS 7.1.10 and later, PAN-OS 8.0.1 and later

Workarounds and Mitigations

Palo Alto Networks recommends to implement best practice by allowing web interface access only to a dedicated management network. Additionally, restrict the set of IP addresses to a subset of authorized sources that you allow to interact with the management network.

© 2020 Palo Alto Networks, Inc. All rights reserved.