An improper certificate validation vulnerability in Palo Alto Networks PAN-OS software enables an authorized user with a specially crafted client certificate to connect to an impacted GlobalProtect portal or GlobalProtect gateway as a different legitimate user. This attack is possible only if you "Allow Authentication with User Credentials OR Client Certificate."
This issue impacts only firewalls on which you configured a GlobalProtect portal or GlobalProtect gateway to use Client Certificate Authentication and you set the "Allow Authentication with User Credentials OR Client Certificate" option to "Yes".
You can verify whether you configured GlobalProtect portal or gateway by checking for entries in your firewall web interface (Network → GlobalProtect → Portals or Network → GlobalProtect → Gateways).
I*f you do have GlobalProtect portals or gateways in your configuration, then you can verify whether you configured Client Certificate Authentication on these portals and gateways by checking your firewall web interface (Network → GlobalProtect → Portals → (portal-config) → Authentication or Network → GlobalProtect → Gateways → (gateway-config) → Authentication).
Palo Alto Networks is not aware of any malicious exploitation of this issue.
This issue is fixed in PAN-OS 10.1.11, PAN-OS 10.2.4-h5, PAN-OS 10.2.5, PAN-OS 11.0.3, and all later PAN-OS versions.
You can mitigate this issue by setting the "Allow Authentication with User Credentials OR Client Certificate" option to "No." Additional information is available here:
cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:h4:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:h3:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:h2:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:h1:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:-:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:h4:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:h3:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:h2:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:h1:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:-:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:h3:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:h2:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:h1:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:-:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:11.0:-:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h4:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h3:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h2:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h1:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:-:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h13:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h12:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h11:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h10:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h9:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h8:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h7:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h6:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h5:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h4:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h3:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h2:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:h1:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:-:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h5:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h4:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h3:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h2:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:h1:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:-:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:h2:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:h1:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:-:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:h3:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:h2:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:h1:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:-:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.2:-:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.10:h5:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.10:h4:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.10:h3:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.10:h2:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.10:h1:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.10:-:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h8:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h7:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h6:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h5:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h4:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h3:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h2:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:h1:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:-:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:h7:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:h6:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:h5:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:h4:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:h3:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:h2:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:h1:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:-:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.7:h1:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.7:-:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h8:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h7:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h6:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h5:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h4:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h3:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h2:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:h1:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:-:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.5:h4:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.5:h3:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.5:h2:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.5:h1:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.5:-:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:h6:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:h5:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:h4:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:h3:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:h2:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:h1:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:-:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.3:h3:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.3:h2:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.3:h1:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.3:-:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.2:-:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.1:-:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1.0:-:*:*:*:*:*:*
cpe:2.3:o:paloaltonetworks:pan-os:10.1:-:*:*:*:*:*:*
Show More Show Less