Palo Alto Networks Security Advisories / PAN-SA-2016-0024

PAN-SA-2016-0024 Web interface denial of service

047910
Severity 5.3 · MEDIUM
Attack Vector NETWORK
Attack Complexity LOW
Privileges Required NONE
User Interaction NONE
Scope UNCHANGED
Confidentiality Impact NONE
Integrity Impact NONE
Availability Impact LOW

Description

Palo Alto Networks firewalls offer a web interface to manage all aspects of the device. A denial of service condition was identified in this process (Ref # 89984).

A third party could remotely disrupt the web management process and cause a management delay before the device resumes normal management operations.

This issue affects PAN-OS 5.1.11 and earlier; PAN-OS 6.0.13 and earlier; PAN-OS 6.1.12 and earlier; PAN-OS 7.0.8 and earlier; PAN-OS 7.1.2 and earlier

Product Status

VersionsAffectedUnaffected
PAN-OS 7.1<= 7.1.2>= 7.1.3
PAN-OS 7.0<= 7.0.8>= 7.0.9
PAN-OS 6.1<= 6.1.12>= 6.1.13
PAN-OS 6.0<= 6.0.13>= 6.0.14
PAN-OS 5.1<= 5.1.11>= 5.1.12

Severity: MEDIUM

CVSSv3.1 Base Score: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Weakness Type

Solution

PAN-OS 5.1.12 and later; PAN-OS 6.0.14 and later; PAN-OS 6.1.13 and later; PAN-OS 7.0.9 and later; PAN-OS 7.1.3 and later

Workarounds and Mitigations

Palo Alto Networks recommends implementing a best practice of allowing web interface access only to a dedicated management network. Additionally, restrict the set of IP addresses to a subset of authorized sources that you allow to interact with the management network.

Acknowledgments

Itzik Chen
© 2020 Palo Alto Networks, Inc. All rights reserved.