PAN-SA-2016-0032 Insecure Browser API Token Generation
Attack Vector
NETWORK
Scope
UNCHANGED
Attack Complexity
HIGH
Confidentiality Impact
HIGH
Privileges Required
NONE
Integrity Impact
HIGH
User Interaction
REQUIRED
Availability Impact
NONE
Description
The Palo Alto Networks firewalls API browser does not properly use the REST API tokens. In a specific scenario, an attacker could steal the authentication token and perform calls to the firewall’s API. (Ref # PAN-61046/PAN-100428)
This post-authentication issue requires the attacker to have access to a logged-in administrator’s browser.
This issue affects PAN-OS 5.0.19 and earlier; PAN-OS 5.1.12 and earlier; PAN-OS 6.0.14 and earlier; PAN-OS 6.1.14 and earlier; PAN-OS 7.0.10 and earlier; PAN-OS 7.1.4 and earlier
Product Status
Versions | Affected | Unaffected |
---|---|---|
PAN-OS 7.1 | <= 7.1.4 | >= 7.1.5 |
PAN-OS 7.0 | <= 7.0.10 | >= 7.0.11 |
PAN-OS 6.1 | <= 6.1.14 | >= 6.1.15 |
PAN-OS 6.0 | <= 6.0.14 | >= 6.0.15 |
PAN-OS 5.1 | <= 5.1.12 | >= 5.1.13 |
PAN-OS 5.0 | <= 5.0.19 | >= 5.0.20 |
Severity: MEDIUM
CVSSv3.1 Base Score: 6.8 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N)
Solution
PAN-OS 5.0.20 and later; PAN-OS 5.1.13 and later; PAN-OS 6.0.15 and later; PAN-OS 6.1.15 and later; PAN-OS 7.0.11 and later; PAN-OS 7.1.5 and later
Acknowledgments
Palo Alto Networks would like to thank Travis Christianson for reporting this issue to us.