Palo Alto Networks Security Advisories / CVE-2024-3596

CVE-2024-3596 PAN-OS: CHAP and PAP When Used with RADIUS Authentication Lead to Privilege Escalation

047910
Severity 5.3 · MEDIUM
Urgency MODERATE
Response Effort MODERATE
Recovery AUTOMATIC
Value Density CONCENTRATED
Attack Vector NETWORK
Attack Complexity HIGH
Attack Requirements PRESENT
Automatable NO
User Interaction PASSIVE
Product Confidentiality NONE
Product Integrity NONE
Product Availability NONE
Privileges Required NONE
Subsequent Confidentiality HIGH
Subsequent Integrity HIGH
Subsequent Availability NONE

Description

This vulnerability allows an attacker performing a meddler-in-the-middle attack between Palo Alto Networks PAN-OS firewall and a RADIUS server to bypass authentication and escalate privileges to ‘superuser’ when RADIUS authentication is in use and either CHAP or PAP is selected in the RADIUS server profile.

CHAP and PAP are protocols with no Transport Layer Security (TLS), and hence vulnerable to meddler-in-the-middle attacks. Neither protocol should be used unless they are encapsulated by an encrypted tunnel. If they are in use, but are encapsulated within a TLS tunnel, they are not vulnerable to this attack.

For additional information regarding this vulnerability, please see https://blastradius.fail.

Product Status

VersionsAffectedUnaffected
Cloud NGFW NoneAll
PAN-OS 11.2NoneAll
PAN-OS 11.1< 11.1.3>= 11.1.3
PAN-OS 11.0< 11.0.4-h4>= 11.0.4-h4
PAN-OS 10.2< 10.2.10>= 10.2.10
PAN-OS 10.1< 10.1.14>= 10.1.14
PAN-OS 9.1< 9.1.19>= 9.1.19
Prisma Access AllNone (Fix ETA: July 30)

Required Configuration for Exposure

To be vulnerable, Palo Alto Networks PAN-OS firewalls must be configured to use CHAP or PAP as the authentication protocol for a RADIUS server. Note that PAP differs from EAP-TTLS with PAP, which is not vulnerable to this attack.

Severity: MEDIUM

CVSSv4.0 Base Score: 5.3 (CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/AU:N/R:A/V:C/RE:M/U:Amber)

Exploitation Status

Palo Alto Networks is aware of proof of concept code demonstrating how to exploit this generic issue.

Weakness Type

CWE-290 Authentication Bypass by Spoofing

Solution

The best way to address this issue is by using encrypted and authenticated channels that offer modern cryptographic security guarantees.

Configure an alternate authentication mechanism if you are using RADIUS with a CHAP or PAP authentication protocol. PAN-OS provides the following alternate RADIUS authentication mechanisms: PEAP-MSCHAPv2 (default), PEAP with GTC, and EAP-TTLS with PAP. For more information, please see https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/authentication/configure-radius-authentication.

In addition, instead of using RADIUS, you can configure an alternate authentication mechanism using one of the options described here: https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/authentication.

If you are a Prisma Access customer using a RADIUS configuration with PAP or CHAP in your profile and have not applied one of the changes described above, you will be contacted to schedule an upgrade window.

PAN-OS 9.1.19, PAN-OS 10.1.14, PAN-OS 10.2.10, PAN-OS 11.0.7, PAN-OS 11.1.3, and all later PAN-OS versions add a new feature to enforce an authentication check in RADIUS. This new feature is disabled by default to match the existing behavior. To enable this feature, run the following commands:

set auth radius-require-msg-authentic yes

To confirm that the setting was correctly enabled, run the following command:

show auth radius-require-msg-authentic

If set correctly, the response will say "yes". This setting is persistent across reboots. No ‘commit’ is required for this to take effect.

Acknowledgments

Palo Alto Networks thanks Sharon Goldberg, Miro HAller, Nadia Heninger, Mike Milano, Dan Shumow, Marc Stevens, and Adam Suhl for discovering and reporting this issue.

Timeline

Initial publication
© 2024 Palo Alto Networks, Inc. All rights reserved.