CVE-2024-3596 PAN-OS: CHAP and PAP When Used with RADIUS Authentication Lead to Privilege Escalation
Description
This vulnerability allows an attacker performing a meddler-in-the-middle attack between Palo Alto Networks PAN-OS firewall and a RADIUS server to bypass authentication and escalate privileges to ‘superuser’ when RADIUS authentication is in use and either CHAP or PAP is selected in the RADIUS server profile.
CHAP and PAP are protocols with no Transport Layer Security (TLS), and hence vulnerable to meddler-in-the-middle attacks. Neither protocol should be used unless they are encapsulated by an encrypted tunnel. If they are in use, but are encapsulated within a TLS tunnel, they are not vulnerable to this attack.
For additional information regarding this vulnerability, please see https://blastradius.fail.
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| Cloud NGFW | None | All |
| PAN-OS 11.2 | None | All |
| PAN-OS 11.1 | < 11.1.3 | >= 11.1.3 |
| PAN-OS 11.0 | < 11.0.4-h5, < 11.0.6 | >= 11.0.4-h5, >= 11.0.6 |
| PAN-OS 10.2 | < 10.2.10 | >= 10.2.10 |
| PAN-OS 10.1 | < 10.1.14 | >= 10.1.14 |
| PAN-OS 9.1 | < 9.1.19 | >= 9.1.19 |
| Prisma Access | All | None (Fix ETA: September 15) |
Required Configuration for Exposure
To be vulnerable, Palo Alto Networks PAN-OS firewalls must be configured to use CHAP or PAP as the authentication protocol for a RADIUS server. Note that PAP differs from EAP-TTLS with PAP, which is not vulnerable to this attack.
Severity: MEDIUM, Suggested Urgency: MODERATE
CVSS-B: 5.3 (CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/AU:N/R:A/V:C/RE:M/U:Amber)
Exploitation Status
Palo Alto Networks is aware of proof of concept code demonstrating how to exploit this generic issue.
Weakness Type
CWE-290 Authentication Bypass by Spoofing
Solution
The best way to address this issue is by using encrypted and authenticated channels that offer modern cryptographic security guarantees.
Configure an alternate authentication mechanism if you are using RADIUS with a CHAP or PAP authentication protocol. PAN-OS provides the following alternate RADIUS authentication mechanisms: PEAP-MSCHAPv2 (default), PEAP with GTC, and EAP-TTLS with PAP. For more information, please see https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/authentication/configure-radius-authentication.
In addition, instead of using RADIUS, you can configure an alternate authentication mechanism using one of the options described here: https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/authentication.
If you are a Prisma Access customer using a RADIUS configuration with PAP or CHAP in your profile and have not applied one of the changes described above, please reach out to TAC/CS to schedule an upgrade window.
PAN-OS 9.1.19, PAN-OS 10.1.14, PAN-OS 10.2.10, PAN-OS 11.0.7, PAN-OS 11.1.3, and all later PAN-OS versions add a new feature to enforce an authentication check in RADIUS. This new feature is disabled by default to match the existing behavior. To enable this feature, run the following commands:
set auth radius-require-msg-authentic yes
To confirm that the setting was correctly enabled, run the following command:
show auth radius-require-msg-authentic
If set correctly, the response will say "yes". This setting is persistent across reboots. No ‘commit’ is required for this to take effect.
Please note that this feature requires that the RADIUS server has been updated to support the new protocol changes, as detailed in https://kb.cert.org/vuls/id/456537. If your RADIUS authentication breaks when radius-require-msg-authentic is set to yes, please work with your RADIUS server vendor for support with the RADIUS server upgrade process.