PAN-SA-2016-0032 Insecure Browser API Token Generation
Attack Vector NETWORK
Scope UNCHANGED
Attack Complexity HIGH
Confidentiality Impact HIGH
Privileges Required NONE
Integrity Impact HIGH
User Interaction REQUIRED
Availability Impact NONE
Description
The Palo Alto Networks firewalls API browser does not properly use the REST API tokens. In a specific scenario, an attacker could steal the authentication token and perform calls to the firewall’s API. (Ref # PAN-61046/PAN-100428)
This post-authentication issue requires the attacker to have access to a logged-in administrator’s browser.
This issue affects PAN-OS 5.0.19 and earlier; PAN-OS 5.1.12 and earlier; PAN-OS 6.0.14 and earlier; PAN-OS 6.1.14 and earlier; PAN-OS 7.0.10 and earlier; PAN-OS 7.1.4 and earlier
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| PAN-OS 7.1 | <= 7.1.4 | >= 7.1.5 |
| PAN-OS 7.0 | <= 7.0.10 | >= 7.0.11 |
| PAN-OS 6.1 | <= 6.1.14 | >= 6.1.15 |
| PAN-OS 6.0 | <= 6.0.14 | >= 6.0.15 |
| PAN-OS 5.1 | <= 5.1.12 | >= 5.1.13 |
| PAN-OS 5.0 | <= 5.0.19 | >= 5.0.20 |
Severity:MEDIUM
CVSSv3.1 Base Score:6.8 (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N)
Weakness Type
Solution
PAN-OS 5.0.20 and later; PAN-OS 5.1.13 and later; PAN-OS 6.0.15 and later; PAN-OS 6.1.15 and later; PAN-OS 7.0.11 and later; PAN-OS 7.1.5 and later
Acknowledgments
Palo Alto Networks would like to thank Travis Christianson for reporting this issue to us.