PAN-SA-2016-0007 User-ID Agent API Access
The Palo Alto Networks User-ID agent for Windows implements an API to retrieve the agent’s configuration. This TLS-secured API call returns encrypted credentials to the domain account configured on the User-ID agent, which has read-only rights for Security Event Logs on Domain Controllers. Anyone with access to the User-ID agent Service TCP port can retrieve this encrypted password by invoking this API. (Ref #93349)
Only users who possess network level access to the User-ID agent Service TCP port can invoke this API.
This issue affects Windows devices running all versions of User-ID agent up to 7.0.3
|User-ID Agent 7.0
|>= 7.0.4 on Windows
CVSSv3.1 Base Score: 5.3 (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N)
User-ID agent 7.0.4 and later releases
Workarounds and Mitigations
Only users on the network can access the User-ID agent Service TCP port and make this API call. Palo Alto Networks recommends that the host running the User-ID agent and the Domain Controllers share the same network-level access restrictions. The User-ID agent should be able to reach only the Domain Controllers and only accessible by Palo Alto Networks firewalls to prevent direct access by malevolent entities.