Palo Alto Networks Security Advisories / CVE-2016-9150

CVE-2016-9150 Buffer Overflow in the Management Web Interface

047910
Severity 9.8 · CRITICAL
Attack Vector NETWORK
Attack Complexity LOW
Privileges Required NONE
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact HIGH
Integrity Impact HIGH
Availability Impact HIGH

Description

Palo Alto Networks web management server improperly handles a buffer overflow. This can result in a possible remote code execution (RCE). (Ref # PAN-63073/102953/CVE-2016-9150)

An attacker with network access to the management web interface may be able to perform a remote code execution (RCE) or denial-of-service (DoS).

This issue affects PAN-OS 5.0.19 and earlier; PAN-OS 5.1.12 and earlier; PAN-OS 6.0.14 and earlier; PAN-OS 6.1.14 and earlier; PAN-OS 7.0.10 and earlier; PAN-OS 7.1.5 and earlier

Product Status

VersionsAffectedUnaffected
PAN-OS 7.1<= 7.1.5>= 7.1.6
PAN-OS 7.0<= 7.0.10>= 7.0.11
PAN-OS 6.1<= 6.1.14>= 6.1.15
PAN-OS 6.0<= 6.0.14>= 6.0.15
PAN-OS 5.1<= 5.1.12>= 5.1.13
PAN-OS 5.0<= 5.0.19>= 5.0.20

Severity: CRITICAL

CVSSv3.1 Base Score: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Weakness Type

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

Solution

PAN-OS 5.0.20 and later; PAN-OS 5.1.13 and later; PAN-OS 6.0.15 and later; PAN-OS 6.1.15 and later; PAN-OS 7.0.11 and later; PAN-OS 7.1.6 and later

Workarounds and Mitigations

Palo Alto Networks recommends to implement best practice by allowing web interface access only to a dedicated management network. Additionally, restrict the set of IP addresses to a subset of authorized sources that you allow to interact with the management network.

Acknowledgments

Palo Alto Networks would like to thank Tavis Ormandy from the Google Security Team for reporting this issue to us.
© 2020 Palo Alto Networks, Inc. All rights reserved.