Palo Alto Networks Security Advisories / CVE-2023-6793

CVE-2023-6793 PAN-OS: XML API Keys Revoked by Read-Only PAN-OS Administrator

Urgency REDUCED

047910
Severity 5.1 · MEDIUM
Response Effort LOW
Recovery USER
Value Density DIFFUSE
Attack Vector NETWORK
Attack Complexity LOW
Attack Requirements NONE
Automatable YES
User Interaction NONE
Product Confidentiality NONE
Product Integrity NONE
Product Availability LOW
Privileges Required HIGH
Subsequent Confidentiality NONE
Subsequent Integrity NONE
Subsequent Availability NONE

Description

An improper privilege management vulnerability in Palo Alto Networks PAN-OS software enables an authenticated read-only administrator to revoke active XML API keys from the firewall and disrupt XML API usage.

Product Status

VersionsAffectedUnaffected
Cloud NGFW NoneAll
PAN-OS 11.1NoneAll
PAN-OS 11.0< 11.0.2>= 11.0.2
PAN-OS 10.2< 10.2.5>= 10.2.5
PAN-OS 10.1< 10.1.11>= 10.1.11
PAN-OS 10.0AllNone
PAN-OS 9.1< 9.1.17>= 9.1.17
PAN-OS 9.0< 9.0.17-h4>= 9.0.17-h4
PAN-OS 8.1NoneAll
Prisma Access NoneAll

Required Configuration for Exposure

This issue is applicable only to PAN-OS configurations that have XML API access enabled.

You can find more information about the XML API here: https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-panorama-api/pan-os-api-authentication/enable-api-access

Severity: MEDIUM, Suggested Urgency: REDUCED

CVSS-B: 5.1 (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/AU:Y/R:U/V:D/RE:L/U:Green)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type

CWE-269 Improper Privilege Management

Solution

This issue is fixed in PAN-OS 9.0.17-h4, PAN-OS 9.1.17, PAN-OS 10.1.11, PAN-OS 10.2.5, PAN-OS 11.0.2, and all later PAN-OS versions.

Workarounds and Mitigations

This issue requires the attacker to have authenticated access to the PAN-OS XML API. You can mitigate the impact of this issue by following the Best Practices for Securing Administrative Access in the PAN-OS technical documentation at https://docs.paloaltonetworks.com/best-practices.

Acknowledgments

Palo Alto Networks thanks an external reporter for discovering and reporting this issue.

Timeline

Initial publication
© 2024 Palo Alto Networks, Inc. All rights reserved.