Palo Alto Networks Security Advisories / PAN-SA-2016-0008

PAN-SA-2016-0008 PAN-OS API denial of service


Severity 5.3 · MEDIUM
Attack Vector NETWORK
Attack Complexity LOW
Privileges Required NONE
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact NONE
Integrity Impact NONE
Availability Impact LOW

Description

Palo Alto Networks firewalls offer an API to query and modify the configuration of the device. While access to this API is protected by the use of an API key, an issue was recently identified leading to a potential unauthenticated denial of service attack. (Ref #91728)

The API is hosted on a dedicated management interface and, while this issue can result in a DoS attack of the API, it doesn’t compromise the security functionality of the device.

This issue affects PAN-OS 7.0.1 to PAN-OS 7.0.7

Product Status

PAN-OS

VersionsAffectedUnaffected
7.0>= 7.0.1,<= 7.0.7>= 7.0.8

Severity: MEDIUM

CVSSv3.1 Base Score: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Solution

PAN-OS 7.0.8 and later

Workarounds and Mitigations

Exploitation of this issue is only available to personnel with access to the management interface on the device. Palo Alto Networks recommends the following best practice implementation: deploy the management interface on an out-of-band network and separate from inline traffic processing.

Acknowledgements

Tenable Network Security
© 2020 Palo Alto Networks, Inc. All rights reserved.