PAN-SA-2016-0016 Web Interface Privilege Escalation
Palo Alto Networks Panorama administrators have the ability to assign predefined permissions to users created on PAN-OS. A read-only user with CLI access could elevate web interface privileges. (Ref. 88191)
A user could elevate privileges by impersonating another user with higher permissions.
This issue affects PAN-OS 5.0.18 and earlier; PAN-OS 5.1.11 and earlier; PAN-OS 6.0.13 and earlier; PAN-OS 6.1.10 and earlier; PAN-OS 7.0.4 and earlier
|PAN-OS 7.0||<= 7.0.4||>= 7.0.5|
|PAN-OS 6.1||<= 6.1.10||>= 6.1.11|
|PAN-OS 6.0||<= 6.0.13||>= 6.0.14|
|PAN-OS 5.1||<= 5.1.11||>= 5.1.12|
|PAN-OS 5.0||<= 5.0.18||>= 5.0.19|
CVSSv3.1 Base Score:7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
PAN-OS 5.0.19 and later; PAN-OS 5.1.12 and later; PAN-OS 6.0.14 and later; PAN-OS 6.1.11 and later; PAN-OS 7.0.5 and later
Workarounds and Mitigations
Customers running versions of Panorama affected by this issue could create a custom admin role that does not allow CLI access and to avoid any privilege escalation. Firewalls running PAN-OS are not affected by this issue.