CVE-2019-17437 PAN-OS: Custom-role users may escalate privileges
An improper authentication check in Palo Alto Networks PAN-OS may allow an authenticated low privileged non-superuser custom role user to elevate privileges and become superuser.
This issue affects PAN-OS 7.1 versions prior to 7.1.25; 8.0 versions prior to 8.0.20; 8.1 versions prior to 8.1.11; 9.0 versions prior to 9.0.5.
PAN-OS version 7.0 and prior EOL versions have not been evaluated for this issue.
|PAN-OS 9.0||< 9.0.5||>= 9.0.5|
|PAN-OS 8.1||< 8.1.11||>= 8.1.11|
|PAN-OS 8.0||< 8.0.20||>= 8.0.20|
|PAN-OS 7.1||< 7.1.25||>= 7.1.25|
Releases <= 7.0 have not been evaluated.
Required Configuration for Exposure
This issue only affects devices configured with a low privileged custom role user with any combination of roles or privileges.
CVSSv3.1 Base Score:7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
This issue has been resolved in 7.1.25, 8.0.20, 8.1.11, 9.0.5 and all subsequent versions.
Workarounds and Mitigations
Remove any untrusted custom-role users from the device or disable their access until fixes can be applied. Restrict access to the device to only trusted users.