PAN-SA-2024-0003 Informational Bulletin: Impact of OSS CVEs in Prisma SD-WAN ION
Informational
Description
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to Prisma SD-WAN ION. While Prisma SD-WAN ION may include the affected OSS package, Prisma SD-WAN ION does not offer any scenarios required for an attacker to successfully exploit these vulnerabilities and is not impacted.
| CVE | Summary |
|---|---|
| CVE-2007-2768 | One-Time Passwords in Everything (OPIE) is not used on Prisma SD-WAN ION, so there is no impact. |
| CVE-2016-8858 | Prisma SD-WAN ION devices do not use the affected version of OpenSSH. |
| CVE-2016-10010 | Prisma SD-WAN ION devices do not use the affected version of OpenSSH. |
| CVE-2016-10011 | Prisma SD-WAN ION devices do not use the affected version of OpenSSH. |
| CVE-2016-10012 | Prisma SD-WAN ION devices do not use the affected version of OpenSSH. |
| CVE-2016-20012 | This is disputed by the OpenSSH maintainers and no official patch has been released for OpenSSH. This will not be treated as a valid vulnerability. |
| CVE-2019-6109 | Prisma SD-WAN ION devices do not use the affected version of OpenSSH. |
| CVE-2019-6110 | Prisma SD-WAN ION devices do not expose scp to users or super users and are therefore not impacted. |
| CVE-2019-6111 | Prisma SD-WAN ION devices do not use the affected version of OpenSSH. |
| CVE-2021-41617 | AuthorizedKeysCommand and AuthorizedPrincipalsCommand are not set in sshd_config on Prisma SD-WAN ION devices, so there is no impact. |
| CVE-2022-4450 | Prisma SD-WAN ION devices are not affected as the vulnerability functions are not used in Prisma SD-WAN ION devices. |
| CVE-2023-0215 | Prisma SD-WAN ION devices are not affected as the vulnerability functions are not used in Prisma SD-WAN ION devices. |
| CVE-2023-0286 | Prisma SD-WAN ION devices are not affected as the vulnerability functionality is not used in Prisma SD-WAN ION devices. |
| CVE-2023-28531 | Prisma SD-WAN ION devices do not use ssh-agent and are therefore not impacted. |
| CVE-2023-38408 | Prisma SD-WAN ION devices do not use ssh-agent and are therefore not impacted. |
| CVE-2023-51384 | Prisma SD-WAN ION devices do not use ssh-agent and are therefore not impacted. |
| CVE-2023-51385 | The configuration settings required for exploitation are not made available in ssh_config, and customers do not have the ability to modify ssh_config. Therefore, there is no impact. |
| CVE-2023-51767 | Prisma SD-WAN ION devices are not affected as no realistic scenarios exist where it is practical to exploit this issue. |
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| Prisma SD-WAN ION | None | All |
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of these issues in Prisma SD-WAN ION.
Solution
No software updates are required at this time.