Palo Alto Networks Security Advisories / CVE-2019-1575

CVE-2019-1575 Information Disclosure in PAN-OS Management API Usage

047910
Severity 8.8 · HIGH
Attack Vector NETWORK
Attack Complexity LOW
Privileges Required LOW
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact HIGH
Integrity Impact HIGH
Availability Impact HIGH

Description

An Information Disclosure vulnerability exists in PAN-OS Management API usage (Ref # PAN-107239 and PAN-118869 / CVE-2019-1575)

Successful exploitation may allow for an authenticated user with read-only privileges to extract the API key of the device and the username/password from the XML API (in PAN-OS) and possibly escalate privileges granted to them.

This issue affects PAN-OS 7.1.23 and earlier, PAN-OS 8.0.18 and earlier, PAN-OS 8.1.8-h4 and earlier, and PAN-OS 9.0.2 and earlier.

Product Status

PAN-OS

VersionsAffectedUnaffected
9.0<= 9.0.2>= 9.0.2
8.1<= 8.1.8-h4>= 8.1.8
8.0<= 8.0.18>= 8.0.19
7.1<= 7.1.23>= 7.1.24

Severity: HIGH

CVSSv3.1 Base Score: 8.8 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Solution

PAN-OS 7.1.24 and later, PAN-OS 8.0.19 and later, PAN-OS 8.1.8-h5 and later, and PAN-OS 9.0.2-h4 and later.

Workarounds and Mitigations

Please see the detailed FAQ here: https://live.paloaltonetworks.com/t5/Customer-Advisories/Palo-Alto-Networks-Security-Advisory-PAN-SA-2019-0019/ta-p/276661.

Acknowledgements

Palo Alto Networks would like to thank Bartłomiej Stasiek of ING Tech Poland, Ruben Jacobi of ON2IT Group, Michael E. Davis - University of Arkansas, and Alycia N. Carey - University of Arkansas for reporting this issue.
© 2020 Palo Alto Networks, Inc. All rights reserved.