PAN-SA-2025-0003 Informational: PAN-OS BIOS and Bootloader Security Bulletin
Informational
Description
Palo Alto Networks is aware of claims of multiple vulnerabilities in hardware device firmware and bootloaders included in our PA-Series (hardware) firewalls.
It is not possible for malicious actors or PAN-OS administrators to exploit these vulnerabilities under normal conditions on PAN-OS versions with up-to-date, secured management interfaces deployed according to the best practices guidelines. Users and administrators do not have access to the BIOS firmware or permissions to modify it. An attacker would need to first compromise the system and then get the root Linux privileges necessary to perform these actions before they could exploit these vulnerabilities. These vulnerabilities themselves do not allow an attacker to compromise the PAN-OS software on the firewall.
None of the concerns are applicable to PAN-OS CN-Series, PAN-OS VM-Series, Cloud NGFW and Prisma Access.
| CVE | Summary |
|---|---|
| CVE-2020-10713 | The BootHole vulnerability may allow an attacker to hijack and tamper the GRUB verification process. It is not possible for malicious actors or PAN-OS administrators to exploit this vulnerability under normal conditions on PAN-OS versions with up-to-date, secured management interfaces deployed according to the best practices guidelines. |
| CVE-2021-33627 | Insyde InsydeH2O Kernel do not check address of a buffer is valid. We are working with the third-party vendors to develop any firmware updates that may be needed for PA-3200 series, PA-5200 series and PA-7200 series with Switch Management Card (SMC-B) installed. All other hardware firewalls are not affected. |
| CVE-2021-42060 | Privilege escalation in InsydeH2O Kernel. We are working with the third-party vendors to develop any firmware updates that may be needed for PA-3200 series, PA-5200 series and PA-7200 series with Switch Management Card (SMC-B) installed. All other hardware firewalls are not affected. |
| CVE-2021-42554 | Memory corruption in Insyde InsydeH2O with Kernel. We are working with the third-party vendors to develop any firmware updates that may be needed for PA-3200 series, PA-5200 series and PA-7200 series with Switch Management Card (SMC-B) installed. All other hardware firewalls are not affected. |
| CVE-2021-43323 | Privilege escalation in UsbCoreDxe in Insyde InsydeH2O with kernel. We are working with the third-party vendors to develop any firmware updates that may be needed for PA-3200 series, PA-5200 series and PA-7200 series with Switch Management Card (SMC-B) installed. All other hardware firewalls are not affected. |
| CVE-2021-45970 | Insufficient validation of the allocated buffer pointer in IdeBusDxe in Insyde InsydeH2O with kernel. We are working with the third-party vendors to develop any firmware updates that may be needed for PA-3200 series, PA-5200 series and PA-7200 series with Switch Management Card (SMC-B) installed. All other hardware firewalls are not affected. |
| CVE-2022-24030 | Memory corruption in AhciBusDxe in Insyde InsydeH2O with kernel. We are working with the third-party vendors to develop any firmware updates that may be needed for PA-3200 series, PA-5200 series and PA-7200 series with Switch Management Card (SMC-B) installed. All other hardware firewalls are not affected. |
| CVE-2023-40238 | Also known as LogoFail, some BIOS are susceptible to malicious logo images written to the BIOS’s filesystem. PAN-OS is not affected as the conditions required to exploit this vulnerability do not exist in PAN-OS. |
| CVE-2023-1017 | An out-of-bounds write vulnerability exists in TPM2.0's Module Library allowing writing of a 2-byte data past the end. This issue is not applicable to any of our products. |
| CVE-2023-45229 | PixieFAIL: EDK2's Network Package is susceptible to an out-of-bounds read vulnerability when processing the IA_NA or IA_TA option in a DHCPv6 Advertise message. Our products are unaffected since the BIOS network stack is disabled. |
| CVE-2023-45230 | PixieFAIL: EDK2's Network Package is susceptible to a buffer overflow vulnerability via a long server ID option in DHCPv6 client. Our products are unaffected since the BIOS network stack is disabled. |
| CVE-2023-45231 | PixieFAIL: EDK2's Network Package is susceptible to an out-of-bounds read vulnerability when processing Neighbor Discovery Redirect messages. Our products are unaffected since the BIOS network stack is disabled. |
| CVE-2023-45232 | PixieFAIL: EDK2's Network Package is susceptible to an infinite loop vulnerability when parsing unknown options in the Destination Options header of IPv6. Our products are unaffected since the BIOS network stack is disabled. |
| CVE-2023-45233 | PixieFAIL: EDK2's Network Package is susceptible to an infinite loop vulnerability when parsing a PadN option in the Destination Options header of IPv6. Our products are unaffected since the BIOS network stack is disabled. |
| CVE-2023-45234 | PixieFAIL: EDK2's Network Package is susceptible to a buffer overflow vulnerability when processing DNS Servers option from a DHCPv6 Advertise message. Our products are unaffected since the BIOS network stack is disabled. |
| CVE-2023-45235 | PixieFAIL: EDK2's Network Package is susceptible to a buffer overflow vulnerability when handling Server ID option from a DHCPv6 proxy Advertise message. Our products are unaffected since the BIOS network stack is disabled. |
| CVE-2023-45236 | PixieFAIL: EDK2's Network Package is susceptible to a predictable TCP Initial Sequence Number. Our products are unaffected since the BIOS network stack is disabled. |
| CVE-2023-45237 | PixieFAIL: EDK2's Network Package is susceptible to a predictable TCP Initial Sequence Number. Our products are unaffected since the BIOS network stack is disabled. |
| Insecure Flash Access Control Vulnerability | Misconfigured or missing SPI flash access controls could permit an attacker to write to UEFI. This requires physical access to the system and tampering hardware. Conditions to exploit this vulnerability do not exist in PAN-OS. We recommend restricting physical access to the firewalls as a best practice. |
| Intel Bootguard Leaked Keys Bypass | Intel Bootguard had private keys leaked that they have concluded are pre-production or test keys.These keys are noot used in any of the BIOS firmware used in Palo Alto Networks firewalls. This issue does not affect PAN-OS. |
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| Cloud NGFW | None | All |
| PAN-OS CN-Series | None | All |
| PAN-OS PA-Series | As listed in the CVE table above | All others not listed in the CVE table above |
| PAN-OS VM-Series | None | All |
| Prisma Access | None | All |
Required Configuration for Exposure
Some of these vulnerabilities are exploitable only when an attacker has already compromised the PAN-OS software and gained root Linux privileges on the system or privileged access to the management networks or physical access to open the device. This is not possible under normal conditions on PAN-OS versions that are up-to-date and deployed according to best practices.
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of these issues in our products. We are aware of a blog post discussing these issues.
Solution
While the conditions required to exploit these vulnerabilities are not available to users protected by PAN-OS or administrators of PAN-OS software, we are working with the third-party vendors to develop any firmware updates that may be needed. We will provide further updates and guidance as they become available.
Workarounds and Mitigations
These vulnerabilities require an attacker to compromise PAN-OS software before they can successfully exploit it. The risk of exploitation on PAN-OS software is reduced by upgrading your appliances to the latest versions.
Additionally secure access to the management web interface by restricting access to only trusted internal IP addresses according to our recommended best practice deployment guidelines.