An issue has been identified in PAN-OS that prevents old management API keys for local administrator accounts from being invalidated upon password change until the device is rebooted. This issue can create a period of time during which an administrator changes the account password, thus creating a new API key, but the old API key is still valid until device reboot.
This issue affects the management interface of the device. Network security best practices suggest administering security devices from an out-of-band network, reducing the exposed attack surface.
This issue affects PAN-OS versions prior to PAN-OS 7.0.2 and PAN-OS 6.1.7
|PAN-OS 7.0||<= 7.0.1||>= 7.0.2|
|PAN-OS 6.1||<= 6.1.6||>= 6.1.7|
CVSSv3.1 Base Score: 2.2 (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N)
PAN-OS 7.0.2, PAN-OS 6.1.7 and subsequent releases.
This issue only affects local device administrator accounts, not remote accounts such as LDAP or RADIUS. Administrators are advised to upgrade to PAN-OS 7.0.2 or 6.1.7 to correct the issue. As a mitigation for affected software versions, administrators may restart the management server of the device after administrator account password changes using the below cli command:
> debug software restart process management-server