CVE-2024-0008 PAN-OS: Insufficient Session Expiration Vulnerability in the Web Interface
Response Effort
LOW
Recovery
USER
Value Density
DIFFUSE
Attack Vector
PHYSICAL
Attack Complexity
LOW
Attack Requirements
PRESENT
Automatable
NO
User Interaction
PASSIVE
Product Confidentiality
HIGH
Product Integrity
HIGH
Product Availability
HIGH
Privileges Required
NONE
Subsequent Confidentiality
NONE
Subsequent Integrity
NONE
Subsequent Availability
NONE
Description
Web sessions in the management interface in Palo Alto Networks PAN-OS software do not expire in certain situations, making it susceptible to unauthorized access.
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| Cloud NGFW | None | All |
| PAN-OS 11.1 | None | All |
| PAN-OS 11.0 | < 11.0.2 | >= 11.0.2 |
| PAN-OS 10.2 | < 10.2.5 | >= 10.2.5 |
| PAN-OS 10.1 | < 10.1.10-h1, < 10.1.11 | >= 10.1.10-h1, >= 10.1.11 |
| PAN-OS 10.0 | < 10.0.12-h1, < 10.0.13 | >= 10.0.12-h1, >= 10.0.13 |
| PAN-OS 9.1 | < 9.1.17 | >= 9.1.17 |
| PAN-OS 9.0 | < 9.0.17-h2 | >= 9.0.17-h2 |
| Prisma Access | None | All |
Severity: MEDIUM
CVSSv4.0 Base Score: 5.4 (CVSS:4.0/AV:P/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/AU:N/R:U/V:D/RE:L/U:Green)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Weakness Type
CWE-613 Insufficient Session Expiration
Solution
This issue is fixed in PAN-OS 9.0.17-h2, PAN-OS 9.1.17, PAN-OS 10.0.12-h1, PAN-OS 10.1.10-h1, PAN-OS 10.2.5, PAN-OS 11.0.2, and all later PAN-OS versions.
Workarounds and Mitigations
Ensure that inactivity-based screen locks are enforced on endpoints with access to the PAN-OS web interface.
Acknowledgments
Palo Alto Networks thanks Brian Yaklin for discovering and reporting this issue.
Timeline
Initial publication