Palo Alto Networks Security Advisories / CVE-2019-1575

CVE-2019-1575 Information Disclosure in PAN-OS Management API Usage

047910
Severity 8.8 · HIGH
Attack Vector NETWORK
Scope UNCHANGED
Attack Complexity LOW
Confidentiality Impact HIGH
Privileges Required LOW
Integrity Impact HIGH
User Interaction NONE
Availability Impact HIGH
NVD JSON
Published 2019-07-15
Updated
Reference PAN-107239 and PAN-118869 PAN-SA-2019-0019
Discovered in production use

Description

An Information Disclosure vulnerability exists in PAN-OS Management API usage (Ref # PAN-107239 and PAN-118869 / CVE-2019-1575)

Successful exploitation may allow for an authenticated user with read-only privileges to extract the API key of the device and the username/password from the XML API (in PAN-OS) and possibly escalate privileges granted to them.

This issue affects PAN-OS 7.1.23 and earlier, PAN-OS 8.0.18 and earlier, PAN-OS 8.1.8-h4 and earlier, and PAN-OS 9.0.2 and earlier.

Product Status

VersionsAffectedUnaffected
PAN-OS 9.0<= 9.0.2>= 9.0.2
PAN-OS 8.1<= 8.1.8-h4>= 8.1.8
PAN-OS 8.0<= 8.0.18>= 8.0.19
PAN-OS 7.1<= 7.1.23>= 7.1.24

Severity: HIGH

CVSSv3.1 Base Score: 8.8 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Weakness Type

CWE-200 Information Exposure

Solution

PAN-OS 7.1.24 and later, PAN-OS 8.0.19 and later, PAN-OS 8.1.8-h5 and later, and PAN-OS 9.0.2-h4 and later.

Workarounds and Mitigations

Please see the detailed FAQ here: https://live.paloaltonetworks.com/t5/Customer-Advisories/Palo-Alto-Networks-Security-Advisory-PAN-SA-2019-0019/ta-p/276661.

Acknowledgments

Palo Alto Networks would like to thank Bartłomiej Stasiek of ING Tech Poland, Ruben Jacobi of ON2IT Group, Michael E. Davis - University of Arkansas, and Alycia N. Carey - University of Arkansas for reporting this issue.
Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure Policy Report vulnerabilitiesManage subscriptions
© 2024 Palo Alto Networks, Inc. All rights reserved.