Palo Alto Networks Security Advisories / PAN-SA-2016-0032

PAN-SA-2016-0032 Insecure Browser API Token Generation

047910
Severity 6.8 · MEDIUM
Attack Vector NETWORK
Attack Complexity HIGH
Privileges Required NONE
User Interaction REQUIRED
Scope UNCHANGED
Confidentiality Impact HIGH
Integrity Impact HIGH
Availability Impact NONE
JSON
Published 2016-10-31
Updated 2016-10-31
Reference PAN-61046 and PAN-100428 PAN-SA-2016-0032
Discovered externally

Description

The Palo Alto Networks firewalls API browser does not properly use the REST API tokens. In a specific scenario, an attacker could steal the authentication token and perform calls to the firewall’s API. (Ref # PAN-61046/PAN-100428)

This post-authentication issue requires the attacker to have access to a logged-in administrator’s browser.

This issue affects PAN-OS 5.0.19 and earlier; PAN-OS 5.1.12 and earlier; PAN-OS 6.0.14 and earlier; PAN-OS 6.1.14 and earlier; PAN-OS 7.0.10 and earlier; PAN-OS 7.1.4 and earlier

Product Status

VersionsAffectedUnaffected
PAN-OS 7.1<= 7.1.4>= 7.1.5
PAN-OS 7.0<= 7.0.10>= 7.0.11
PAN-OS 6.1<= 6.1.14>= 6.1.15
PAN-OS 6.0<= 6.0.14>= 6.0.15
PAN-OS 5.1<= 5.1.12>= 5.1.13
PAN-OS 5.0<= 5.0.19>= 5.0.20

Severity: MEDIUM

CVSSv3.1 Base Score: 6.8 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N)

Weakness Type

Solution

PAN-OS 5.0.20 and later; PAN-OS 5.1.13 and later; PAN-OS 6.0.15 and later; PAN-OS 6.1.15 and later; PAN-OS 7.0.11 and later; PAN-OS 7.1.5 and later

Workarounds and Mitigations

Acknowledgments

Palo Alto Networks would like to thank Travis Christianson for reporting this issue to us.
Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure Policy Report vulnerabilitiesManage subscriptions
© 2020 Palo Alto Networks, Inc. All rights reserved.