CVE-2016-9150 Buffer Overflow in the Management Web Interface

Palo Alto Networks Security Advisories / CVE-2016-9150

CVE-2016-9150 Buffer Overflow in the Management Web Interface

Severity 9.8 · CRITICAL

Attack Vector NETWORK

Scope UNCHANGED

Attack Complexity LOW

Confidentiality Impact HIGH

Privileges Required NONE

Integrity Impact HIGH

User Interaction NONE

Availability Impact HIGH

NVD JSON

Published 2016-11-17

Updated

Reference PAN-63073 and 102953 PAN-SA-2016-0035

Description

Palo Alto Networks web management server improperly handles a buffer overflow. This can result in a possible remote code execution (RCE). (Ref # PAN-63073/102953/CVE-2016-9150)

An attacker with network access to the management web interface may be able to perform a remote code execution (RCE) or denial-of-service (DoS).

This issue affects PAN-OS 5.0.19 and earlier; PAN-OS 5.1.12 and earlier; PAN-OS 6.0.14 and earlier; PAN-OS 6.1.14 and earlier; PAN-OS 7.0.10 and earlier; PAN-OS 7.1.5 and earlier

Product Status

Versions	Affected	Unaffected
PAN-OS 7.1	<= 7.1.5	>= 7.1.6
PAN-OS 7.0	<= 7.0.10	>= 7.0.11
PAN-OS 6.1	<= 6.1.14	>= 6.1.15
PAN-OS 6.0	<= 6.0.14	>= 6.0.15
PAN-OS 5.1	<= 5.1.12	>= 5.1.13
PAN-OS 5.0	<= 5.0.19	>= 5.0.20

Severity: CRITICAL

CVSSv3.0 Base Score: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Weakness Type

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

Solution

PAN-OS 5.0.20 and later; PAN-OS 5.1.13 and later; PAN-OS 6.0.15 and later; PAN-OS 6.1.15 and later; PAN-OS 7.0.11 and later; PAN-OS 7.1.6 and later

Workarounds and Mitigations

Palo Alto Networks recommends to implement best practice by allowing web interface access only to a dedicated management network. Additionally, restrict the set of IP addresses to a subset of authorized sources that you allow to interact with the management network.

Acknowledgments

Palo Alto Networks would like to thank Tavis Ormandy from the Google Security Team for reporting this issue to us.