Palo Alto Networks Security Advisories / CVE-2017-15944

CVE-2017-15944 Vulnerability in PAN-OS and Panorama on Management Interface

047910
Severity 9.8 · CRITICAL
Attack Vector NETWORK
Attack Complexity LOW
Privileges Required NONE
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact HIGH
Integrity Impact HIGH
Availability Impact HIGH

Description

Through the exploitation of a combination of unrelated vulnerabilities, and via the management interface of the device, an attacker could remotely execute code on PAN-OS or Panorama in the context of the highest privileged user. (Ref # PAN-61094 / PAN-80990 / PAN-80993 / PAN-80994 / CVE-2017-15944)

PAN-OS and Panorama contains multiple vulnerabilities that, when exploited in conjunction could lead to remote code execution prior to authentication.

This issue affects PAN-OS 6.1.18 and earlier, PAN-OS 7.0.18 and earlier, and PAN-OS 7.1.13 and earlier.

Product Status

PAN-OS

VersionsAffectedUnaffected
8.0>= 8.0.6,>= 8.0
7.1<= 7.1.13>= 7.1.14
7.0<= 7.0.18>= 7.0.19
6.1<= 6.1.18>= 6.1.19

Severity: CRITICAL

CVSSv3.1 Base Score: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Weakness Type

Solution

PAN-OS 6.1.19 and later, PAN-OS 7.0.19 and later, PAN-OS 7.1.14 and later. An update in PAN-OS 8.0.6 also includes patches related to this vulnerability, however PAN-OS 8.0 is not remotely exploitable by an unauthenticated user using this vulnerability.

Workarounds and Mitigations

Palo Alto Networks has released content update 756 including vulnerability signatures #40483 and #40484 that can be used as an interim mitigation to protect PAN-OS devices until the device software is upgraded. Note that signatures 40483 and 40484 must be applied to a firewall rule securing traffic destined for the Management interface. This issue affects the management interface of the device and is strongly mitigated by following best practices for the isolation of management interfaces for security appliances. We recommend that the management interface be isolated and strictly limited only to security administration personnel through either network segmentation or using the IP access control list restriction feature within PAN-OS. An alternative mitigation includes the use of a Panorama central manager and disabling of http and https management on each of the vulnerable appliance, then use the Panorama context switching feature to remotely access the web interface of the device.

Acknowledgments

Palo Alto Networks would like to thank Philip Pettersson for reporting this issue
© 2020 Palo Alto Networks, Inc. All rights reserved.