Get supportSecurity advisories
Subscriptions
Report vulnerabilities
Palo Alto Networks Security Advisories / CVE-2019-1575

CVE-2019-1575 Information Disclosure in PAN-OS Management API Usage


Severity 8.8 · HIGH
Attack Vector NETWORK
Attack Complexity LOW
Privileges Required LOW
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact HIGH
Integrity Impact HIGH
Availability Impact HIGH
NVD JSON
Published: 2019-07-15
Updated: 2019-07-15
Ref#: PAN-107239 and PAN-118869 PAN-SA-2019-0019

Description

An Information Disclosure vulnerability exists in PAN-OS Management API usage (Ref # PAN-107239 and PAN-118869 / CVE-2019-1575)

Successful exploitation may allow for an authenticated user with read-only privileges to extract the API key of the device and the username/password from the XML API (in PAN-OS) and possibly escalate privileges granted to them.

This issue affects PAN-OS 7.1.23 and earlier, PAN-OS 8.0.18 and earlier, PAN-OS 8.1.8-h4 and earlier, and PAN-OS 9.0.2 and earlier.

Product Status

PAN-OS

VersionsAffectedUnaffected
7.1<= 7.1.23>= 7.1.24
8.0<= 8.0.18>= 8.0.19
8.1<= 8.1.8-h4>= 8.1.8
9.0<= 9.0.2>= 9.0.2

Severity: HIGH

CVSSv3.1 Base Score: 8.8 ( CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H )

Solution

PAN-OS 7.1.24 and later, PAN-OS 8.0.19 and later, PAN-OS 8.1.8-h5 and later, and PAN-OS 9.0.2-h4 and later.

Workarounds and Mitigations

Please see the detailed FAQ here: https://live.paloaltonetworks.com/t5/Customer-Advisories/Palo-Alto-Networks-Security-Advisory-PAN-SA-2019-0019/ta-p/276661.

Acknowledgements

  • Palo Alto Networks would like to thank Bartłomiej Stasiek of ING Tech Poland, Ruben Jacobi of ON2IT Group, Michael E. Davis - University of Arkansas, and Alycia N. Carey - University of Arkansas for reporting this issue.
© 2020 Palo Alto Networks, Inc. All rights reserved.