CVE-2016-5195 Kernel Vulnerability
A vulnerability exists in the kernel of PAN-OS that may result in an elevation of privilege. This issue is publicly known as Dirty COW (ref # PAN-68074 / CVE-2016-5195).
PAN-OS may be impacted by the Dirty COW (CVE-2016-5195) attack. A race condition was found in the way the Linux kernel's memory subsystem handles the copy-on-write breakage of private read-only memory mappings. An attacker would first require access to a shell on the device before they could use this exploit. Shell access is significantly restricted on the device. The Command Line Interface (CLI) is not shell access and therefore this issue cannot be exploited by the CLI.
This issue affects PAN-OS 5.1, PAN-OS 6.0, PAN-OS 6.1, PAN-OS 7.0.13, PAN-OS 7.1.7 and earlier
|PAN-OS 7.1||<= 7.1.7||>= 7.1.8|
|PAN-OS 7.0||<= 7.0.13||>= 7.0.14|
CVSSv3.1 Base Score:7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
PAN-OS 7.0.14 and later, PAN-OS 7.1.8 and later
Workarounds and Mitigations
Palo Alto Networks recommends to implement best practice by allowing web interface access only to a dedicated management network. Additionally, restrict the set of IP addresses to a subset of authorized sources that you allow to interact with the management network.