Palo Alto Networks Security Advisories / CVE-2017-15943

CVE-2017-15943 Server-Side Request Forgery in PAN-OS

047910
Severity 5.3 · MEDIUM
Attack Vector NETWORK
Attack Complexity LOW
Privileges Required NONE
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact LOW
Integrity Impact NONE
Availability Impact NONE

Description

A vulnerability exists in the PAN-OS web interface in the configuration file import for applications, spyware and vulnerability objects. Exploitation of this vulnerability allows for the parsing of external entities and could lead a PAN-OS device to connect to and disclose limited information to the attacker's server. (Ref # PAN-80452 / CVE-2017-15943)

PAN-OS contains a vulnerability that may allow for an attacker to perform Server-Side Request Forgery. Successful exploitation of this issue may allow an attacker to disclose limited information to an attacker's server.

This issue affects PAN-OS 6.1.18 and earlier, PAN-OS 7.0.18 and earlier, PAN-OS 7.1.13 and earlier

Product Status

VersionsAffectedUnaffected
PAN-OS 7.1<= 7.1.13>= 7.1.14
PAN-OS 7.0<= 7.0.18>= 7.0.19
PAN-OS 6.1<= 6.1.18>= 6.1.19

Severity: MEDIUM

CVSSv3.1 Base Score: 5.3 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)

Weakness Type

CWE-918 Server-Side Request Forgery (SSRF)

Solution

PAN-OS 6.1.19 and later, PAN-OS 7.0.19 and later, PAN-OS 7.1.14 and later

Workarounds and Mitigations

This issue affects the management interface of the device and is strongly mitigated by following best practices for the isolation of management interfaces for security appliances. We recommend that the management interface be isolated and strictly limited only to security administration personnel through either network segmentation or using the IP access control list restriction feature within PAN-OS.

Acknowledgments

Palo Alto Networks would like to thank Ekzhin Ear from NATO for reporting this issue
© 2020 Palo Alto Networks, Inc. All rights reserved.