Palo Alto Networks Security Advisories / CVE-2023-6791

CVE-2023-6791 PAN-OS: Plaintext Disclosure of External System Integration Credentials

Urgency REDUCED

047910
Severity 6.1 · MEDIUM
Response Effort LOW
Recovery USER
Value Density DIFFUSE
Attack Vector NETWORK
Attack Complexity LOW
Attack Requirements NONE
Automatable NO
User Interaction NONE
Product Confidentiality LOW
Product Integrity NONE
Product Availability NONE
Privileges Required HIGH
Subsequent Confidentiality HIGH
Subsequent Integrity NONE
Subsequent Availability NONE

Description

A credential disclosure vulnerability in Palo Alto Networks PAN-OS software enables an authenticated read-only administrator to obtain the plaintext credentials of stored external system integrations such as LDAP, SCP, RADIUS, TACACS+, and SNMP from the web interface.

Product Status

VersionsAffectedUnaffected
Cloud NGFW NoneAll
PAN-OS 11.1NoneAll
PAN-OS 11.0< 11.0.1>= 11.0.1
PAN-OS 10.2< 10.2.4>= 10.2.4
PAN-OS 10.1< 10.1.9>= 10.1.9
PAN-OS 10.0< 10.0.12>= 10.0.12
PAN-OS 9.1< 9.1.16>= 9.1.16
PAN-OS 9.0< 9.0.17>= 9.0.17
PAN-OS 8.1< 8.1.24-h1>= 8.1.24-h1
Prisma Access NoneAll

Severity: MEDIUM, Suggested Urgency: REDUCED

CVSS-B: 6.1 (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N/AU:N/R:U/V:D/RE:L/U:Green)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type

CWE-701: Weakness Introduced During Design

Solution

This issue is fixed in PAN-OS 8.1.24-h1, PAN-OS 9.0.17, PAN-OS 9.1.16, PAN-OS 10.0.12, PAN-OS 10.1.9, PAN-OS 10.2.4, PAN-OS 11.0.1, and all later PAN-OS versions.

You should issue new credentials for the impacted external integrations after you upgrade your PAN-OS software to a fixed version to prevent the misuse of previously exposed credentials.

Please note that customers impacted by the PAN-OS root and default certificate expiration issue must carefully select the fixed version of PAN-OS they upgrade their devices to when addressing this vulnerability to not reintroduce the certificate issue. More information and support for the certificate expiration issue in PAN-OS is available at https://live.paloaltonetworks.com/t5/customer-advisories/emergency-update-required-pan-os-root-and-default-certificate/ta-p/564672.

Workarounds and Mitigations

This issue requires the attacker to have authenticated access to the PAN-OS web interface. You can mitigate the impact of this issue by following the Best Practices for Securing Administrative Access in the PAN-OS technical documentation at https://docs.paloaltonetworks.com/best-practices.

Acknowledgments

Palo Alto Networks thanks Kajetan Rostojek for discovering and reporting this issue.

Timeline

Initial publication
© 2024 Palo Alto Networks, Inc. All rights reserved.