A vulnerability exists in the Palo Alto Network PAN-OS signature-based threat detection engine that allows an attacker to evade threat prevention signatures using specifically crafted TCP packets.
This CVE has no impact on the confidentiality and availability of PAN-OS. This issue does not let an attacker access resources blocked by firewall policies and it has no impact on the service availability. There could be an impact on the accuracy of firewall threat prevention with some signatures, but there is no impact on the integrity of other security features.
This issue impacts:
PAN-OS 8.1 versions earlier than 8.1.17;
PAN-OS 9.0 versions earlier than 9.0.11;
PAN-OS 9.1 versions earlier than 9.1.5;
All versions of PAN-OS 7.1 and PAN-OS 8.0.
| Versions | Affected | Unaffected |
|---|---|---|
| PAN-OS 10.0 | None | 10.0.* |
| PAN-OS 9.1 | < 9.1.5 | >= 9.1.5 |
| PAN-OS 9.0 | < 9.0.11 | >= 9.0.11 |
| PAN-OS 8.1 | < 8.1.17 | >= 8.1.17 |
| PAN-OS 8.0 | 8.0.* | |
| PAN-OS 7.1 | 7.1.* |
CVSSv3.1 Base Score: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
Palo Alto Networks is not aware of any malicious exploitation of this issue.
CWE-754 Improper Check for Unusual or Exceptional Conditions
This issue is fixed in PAN-OS 8.1.17, PAN-OS 9.0.11, PAN-OS 9.1.5, and all later PAN-OS versions.
There are no known workarounds for this issue.