Palo Alto Networks Security Advisories / PAN-SA-2016-0029

PAN-SA-2016-0029 Insecure Server Configuration

047910
Severity 8.8 · HIGH
Attack Vector NETWORK
Attack Complexity LOW
Privileges Required NONE
User Interaction REQUIRED
Scope UNCHANGED
Confidentiality Impact HIGH
Integrity Impact HIGH
Availability Impact HIGH

Description

An incorrect Web management server configuration was identified in PAN-OS. (Ref # PAN-52038/86767).

This post-authentication issue affects the management interface of the device, where an incorrect configuration could lead to JavaScript execution.

This issue affects PAN-OS 5.0.19 and earlier; PAN-OS 5.1.12 and earlier; PAN-OS 6.0.14 and earlier; PAN-OS 6.1.12 and earlier; PAN-OS 7.0.7 and earlier

Product Status

PAN-OS

VersionsAffectedUnaffected
7.0<= 7.0.7>= 7.0.8
6.1<= 6.1.12>= 6.1.13
6.0<= 6.0.14>= 6.0.15
5.1<= 5.1.12>= 5.1.13
5.0<= 5.0.19>= 5.0.20

Severity: HIGH

CVSSv3.1 Base Score: 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Weakness Type

Solution

PAN-OS 5.0.20 and later; PAN-OS 5.1.13 and later; PAN-OS 6.0.15 and later; PAN-OS 6.1.13 and later; PAN-OS 7.0.8 and later

Workarounds and Mitigations

This issue is available only to authenticated users on the web interface. Palo Alto Networks recommends implementing best practices, only allowing management access to a restricted set of IP address, and dedicating management of the device to the management interface only.

Acknowledgments

ringzero
© 2020 Palo Alto Networks, Inc. All rights reserved.