CVE-2024-3387 PAN-OS: Weak Certificate Strength in Panorama Software Leads to Sensitive Information Disclosure
Description
A weak (low bit strength) device certificate in Palo Alto Networks Panorama software enables an attacker to perform a meddler-in-the-middle (MitM) attack to capture encrypted traffic between the Panorama management server and the firewalls it manages. With sufficient computing resources, the attacker could break encrypted communication and expose sensitive information that is shared between the management server and the firewalls.
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| Cloud NGFW | None | All |
| PAN-OS 11.1 | None | All |
| PAN-OS 11.0 | < 11.0.4 on Panorama | >= 11.0.4 on Panorama |
| PAN-OS 10.2 | < 10.2.7-h3 on Panorama, < 10.2.8 on Panorama | >= 10.2.7-h3 on Panorama, >= 10.2.8 on Panorama |
| PAN-OS 10.1 | < 10.1.12 on Panorama | >= 10.1.12 on Panorama |
| PAN-OS 9.1 | None | All |
| PAN-OS 9.0 | None | All |
| Prisma Access | None | All |
Severity: MEDIUM
CVSSv4.0 Base Score: 6 (CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/AU:N/R:A/V:C/RE:M/U:Amber)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Weakness Type
CWE-326 Inadequate Encryption Strength
Solution
This issue is fixed on Panorama in PAN-OS 10.1.12, PAN-OS 10.2.7-h3, PAN-OS 10.2.8, PAN-OS 11.0.4, and all later PAN-OS versions.