Palo Alto Networks Security Advisories / PAN-SA-2015-0006

PAN-SA-2015-0006 API key automatic revocation

047910
Severity 2.2 · LOW
Attack Vector NETWORK
Scope UNCHANGED
Attack Complexity HIGH
Confidentiality Impact NONE
Privileges Required HIGH
Integrity Impact LOW
User Interaction NONE
Availability Impact NONE

Description

An issue has been identified in PAN-OS that prevents old management API keys for local administrator accounts from being invalidated upon password change until the device is rebooted. This issue can create a period of time during which an administrator changes the account password, thus creating a new API key, but the old API key is still valid until device reboot.

This issue affects the management interface of the device. Network security best practices suggest administering security devices from an out-of-band network, reducing the exposed attack surface.

This issue affects PAN-OS versions prior to PAN-OS 7.0.2 and PAN-OS 6.1.7

Product Status

VersionsAffectedUnaffected
PAN-OS 7.0<= 7.0.1>= 7.0.2
PAN-OS 6.1<= 6.1.6>= 6.1.7

Severity:LOW

CVSSv3.1 Base Score:2.2 (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N)

Weakness Type

Solution

PAN-OS 7.0.2, PAN-OS 6.1.7 and subsequent releases.

Workarounds and Mitigations

This issue only affects local device administrator accounts, not remote accounts such as LDAP or RADIUS.  Administrators are advised to upgrade to PAN-OS 7.0.2 or 6.1.7 to correct the issue. As a mitigation for affected software versions, administrators may restart the management server of the device after administrator account password changes using the below cli command:

> debug software restart process management-server

Acknowledgments

Raul Garcia, Dell SecureWorks
© 2022 Palo Alto Networks, Inc. All rights reserved.