PAN-SA-2025-0010 Informational Bulletin: No Impact of the Marvin Attack on PAN-OS
Informational
Description
The Palo Alto Networks Product Security Assurance team has evaluated the applicability of CVEs related to the Marvin attack on PAN-OS. While we did not determine that any of these CVEs have significant impact on our PAN-OS software, some were fixed anyway out of an abundance of caution. You can also review more details about the Marvin attack if helpful.
| CVE | Summary |
|---|---|
| CVE-2024-29995 | This CVE does not affect PAN-OS as PAN-OS does not have the vulnerable opensc library. |
| CVE-2024-26306 | This CVE does not affect PAN-OS as PAN-OS does not have the vulnerable iperf3 component. |
| CVE-2024-23170 | This CVE does not affect PAN-OS as PAN-OS does not have the vulnerable Mbed TLS component. |
| CVE-2024-21484 | This CVE does not affect PAN-OS as PAN-OS does not have the vulnerable jsrsasign package. |
| CVE-2024-20952 | This CVE does not affect PAN-OS as PAN-OS does not have the vulnerable openjdk package. |
| CVE-2024-2236 | This CVE does not affect PAN-OS as PAN-OS does not have the vulnerable component of libgcrypt library. |
| CVE-2024-0914 | This CVE does not affect PAN-OS as PAN-OS does not have the vulnerable package. |
| CVE-2024-0202 | This CVE does not affect PAN-OS as PAN-OS does not have the vulnerable cryptlib cryptographic library. |
| CVE-2023-46809 | This CVE does not affect PAN-OS as PAN-OS does not have the vulnerable subcomponent. |
| CVE-2023-6240 | This CVE does not affect PAN-OS as PAN-OS does not have the vulnerable subcomponent. |
| CVE-2023-5992 | This CVE does not affect PAN-OS as PAN-OS does not have the vulnerable opensc library. |
| CVE-2023-5388 | This CVE is fixed in PAN-OS 10.2.11, PAN-OS 11.0.6, PAN-OS 11.1.5 and all later versions of PAN-OS. |
| CVE-2023-4421 | This CVE is fixed in PAN-OS 10.2.11, PAN-OS 11.0.6, PAN-OS 11.1.5 and all later versions of PAN-OS. |
| CVE-2022-4304 | This CVE is fixed in PAN-OS 10.2.5, PAN-OS 11.0.2 and all later versions of PAN-OS. |
Required Configuration for Exposure
No special configuration is required to be affected by this issue.
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Weakness Type and Impact
CWE-1240: Use of a Cryptographic Primitive with a Risky Implementation
CAPEC-463 Padding Oracle Crypto Attack
Solution
These OSS CVEs are fixed in their respective PAN-OS versions.
Workarounds and Mitigations
No workaround or mitigation is available.
Acknowledgments
Palo Alto Networks thanks Hubert Kario for their research regarding the Marvin attack.
Timeline
Initial Publication