Palo Alto Networks Security Advisories / PAN-SA-2016-0007

PAN-SA-2016-0007 User-ID API Access

047910
Severity 5.3 · MEDIUM
Attack Vector LOCAL
Attack Complexity HIGH
Privileges Required HIGH
User Interaction NONE
Scope CHANGED
Confidentiality Impact HIGH
Integrity Impact NONE
Availability Impact NONE

Description

The Palo Alto Networks User-ID agent for Windows implements an API to retrieve the agent’s configuration. This TLS-secured API call returns encrypted credentials to the domain account configured on the User-ID agent, which has read-only rights for Security Event Logs on Domain Controllers. Anyone with access to the User-ID agent Service TCP port can retrieve this encrypted password by invoking this API. (Ref #93349)

Only users who possess network level access to the User-ID agent Service TCP port can invoke this API.

This issue affects Windows devices running all versions of User-ID agent up to 7.0.3

Product Status

VersionsAffectedUnaffected
User-ID agent 7.0<= 7.0.3>= 7.0.4 on Windows

Severity: MEDIUM

CVSSv3.1 Base Score: 5.3 (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N)

Weakness Type

Solution

User-ID agent 7.0.4 and later releases

Workarounds and Mitigations

Only users on the network can access the User-ID agent Service TCP port and make this API call. Palo Alto Networks recommends that the host running the User-ID agent and the Domain Controllers share the same network-level access restrictions. The User-ID agent should be able to reach only the Domain Controllers and only accessible by Palo Alto Networks firewalls to prevent direct access by malevolent entities.

Acknowledgments

Felix Wilhelm , ERNW Research
© 2020 Palo Alto Networks, Inc. All rights reserved.