Palo Alto Networks Security Advisories / PAN-SA-2015-0006

PAN-SA-2015-0006 API key automatic revocation

047910
Severity 2.2 · LOW
Attack Vector NETWORK
Attack Complexity HIGH
Privileges Required HIGH
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact NONE
Integrity Impact LOW
Availability Impact NONE

Description

An issue has been identified in PAN-OS that prevents old management API keys for local administrator accounts from being invalidated upon password change until the device is rebooted. This issue can create a period of time during which an administrator changes the account password, thus creating a new API key, but the old API key is still valid until device reboot.

This issue affects the management interface of the device. Network security best practices suggest administering security devices from an out-of-band network, reducing the exposed attack surface.

This issue affects PAN-OS versions prior to PAN-OS 7.0.2 and PAN-OS 6.1.7

Product Status

VersionsAffectedUnaffected
PAN-OS 7.0<= 7.0.1>= 7.0.2
PAN-OS 6.1<= 6.1.6>= 6.1.7

Severity: LOW

CVSSv3.1 Base Score: 2.2 (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N)

Weakness Type

Solution

PAN-OS 7.0.2, PAN-OS 6.1.7 and subsequent releases.

Workarounds and Mitigations

This issue only affects local device administrator accounts, not remote accounts such as LDAP or RADIUS.  Administrators are advised to upgrade to PAN-OS 7.0.2 or 6.1.7 to correct the issue. As a mitigation for affected software versions, administrators may restart the management server of the device after administrator account password changes using the below cli command:

> debug software restart process management-server

Acknowledgments

Raul Garcia, Dell SecureWorks
© 2020 Palo Alto Networks, Inc. All rights reserved.