Palo Alto Networks Security Advisories / CVE-2024-3387

CVE-2024-3387 PAN-OS: Weak Certificate Strength in Panorama Software Leads to Sensitive Information Disclosure

Urgency MODERATE

047910
Severity 6 · MEDIUM
Response Effort MODERATE
Recovery AUTOMATIC
Value Density CONCENTRATED
Attack Vector NETWORK
Attack Complexity HIGH
Attack Requirements PRESENT
Automatable NO
User Interaction PASSIVE
Product Confidentiality HIGH
Product Integrity NONE
Product Availability NONE
Privileges Required NONE
Subsequent Confidentiality NONE
Subsequent Integrity NONE
Subsequent Availability NONE

Description

A weak (low bit strength) device certificate in Palo Alto Networks Panorama software enables an attacker to perform a meddler-in-the-middle (MitM) attack to capture encrypted traffic between the Panorama management server and the firewalls it manages. With sufficient computing resources, the attacker could break encrypted communication and expose sensitive information that is shared between the management server and the firewalls.

Product Status

VersionsAffectedUnaffected
Cloud NGFW NoneAll
PAN-OS 11.1NoneAll
PAN-OS 11.0< 11.0.4 on Panorama>= 11.0.4 on Panorama
PAN-OS 10.2< 10.2.7-h3 on Panorama, < 10.2.8 on Panorama>= 10.2.7-h3 on Panorama, >= 10.2.8 on Panorama
PAN-OS 10.1< 10.1.12 on Panorama>= 10.1.12 on Panorama
PAN-OS 9.1NoneAll
PAN-OS 9.0NoneAll
Prisma Access NoneAll

Severity: MEDIUM

CVSSv4.0 Base Score: 6 (CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/AU:N/R:A/V:C/RE:M/U:Amber)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type

CWE-326 Inadequate Encryption Strength

Solution

This issue is fixed on Panorama in PAN-OS 10.1.12, PAN-OS 10.2.7-h3, PAN-OS 10.2.8, PAN-OS 11.0.4, and all later PAN-OS versions.

Acknowledgments

Palo Alto Networks thanks one of our customers for discovering and reporting this issue.

Timeline

Initial publication
© 2024 Palo Alto Networks, Inc. All rights reserved.