An authentication bypass by spoofing vulnerability exists in the authentication daemon and User-ID components of Palo Alto Networks PAN-OS by failing to verify the integrity of the Kerberos key distribution center (KDC) before authenticating users. This affects all forms of authentication that use a Kerberos authentication profile. A man-in-the-middle type of attacker with the ability to intercept communication between PAN-OS and KDC can login to PAN-OS as an administrator.
This issue affects:
PAN-OS 7.1 versions earlier than 7.1.26;
PAN-OS 8.1 versions earlier than 8.1.13;
PAN-OS 9.0 versions earlier than 9.0.6;
All version of PAN-OS 8.0.
|9.0||< 9.0.6||>= 9.0.6|
|8.1||< 8.1.13||>= 8.1.13|
|7.1||< 7.1.26||>= 7.1.26|
CVSSv3.1 Base Score: 8.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
This issue is fixed in PAN-OS 7.1.26, PAN-OS 8.1.13, PAN-OS 9.0.6, and all later PAN-OS versions.
PAN-OS 8.0 is now end-of-life as of October 31, 2019, and is no longer covered by our Product Security Assurance policies.
Ensure that PAN-OS communicates to Kerberos server over a secured network with access restricted to trusted users.
Please review the Best Practices for Securing Administrative Access in the PAN-OS technical documentation, available at: https://docs.paloaltonetworks.com.