Palo Alto Networks Security Advisories / CVE-2016-5195

CVE-2016-5195 Kernel Vulnerability

047910
Severity 7.8 · HIGH
Attack Vector LOCAL
Attack Complexity LOW
Privileges Required LOW
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact HIGH
Integrity Impact HIGH
Availability Impact HIGH

Description

A vulnerability exists in the kernel of PAN-OS that may result in an elevation of privilege. This issue is publicly known as Dirty COW (ref # PAN-68074 / CVE-2016-5195).

PAN-OS may be impacted by the Dirty COW (CVE-2016-5195) attack. A race condition was found in the way the Linux kernel's memory subsystem handles the copy-on-write breakage of private read-only memory mappings. An attacker would first require access to a shell on the device before they could use this exploit. Shell access is significantly restricted on the device. The Command Line Interface (CLI) is not shell access and therefore this issue cannot be exploited by the CLI.

This issue affects PAN-OS 5.1, PAN-OS 6.0, PAN-OS 6.1, PAN-OS 7.0.13, PAN-OS 7.1.7 and earlier

Product Status

VersionsAffectedUnaffected
PAN-OS 7.1<= 7.1.7>= 7.1.8
PAN-OS 7.0<= 7.0.13>= 7.0.14
PAN-OS 6.16.1.*
PAN-OS 6.06.0.*
PAN-OS 5.15.1.*

Severity: HIGH

CVSSv3.1 Base Score: 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Weakness Type

CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

Solution

PAN-OS 7.0.14 and later, PAN-OS 7.1.8 and later

Workarounds and Mitigations

Palo Alto Networks recommends to implement best practice by allowing web interface access only to a dedicated management network. Additionally, restrict the set of IP addresses to a subset of authorized sources that you allow to interact with the management network.

© 2020 Palo Alto Networks, Inc. All rights reserved.