{"document":{"category":"csaf_vex","csaf_version":"2.1","notes":[{"category":"summary","text":"Palo Alto Networks PSIRT provided VEX document. This document is autogenerated.","title":"PAN-OS: CHAP and PAP When Used with RADIUS Authentication Lead to Privilege Escalation"}],"publisher":{"category":"vendor","name":"Palo Alto Networks","namespace":"https://security.paloaltonetworks.com"},"title":"Palo Alto Networks PSIRT provided VEX document: CVE-2024-3596","distribution":{"text":"Copyright © 2024 Palo Alto Networks. All rights reserved.","tlp":{"label":"CLEAR","url":"https://www.first.org/tlp/"}},"tracking":{"current_release_date":"2026-03-11T22:25:41.384Z","generator":{"date":"2026-03-11T22:25:41.384Z","engine":{"name":"vulnogram","version":"0.1.0-rc1"}},"id":"CVE-2024-3596","initial_release_date":"2024-07-10T16:00:00.000Z","revision_history":[{"number":"1","date":"2024-07-10T09:00:00.000Z","summary":"Initial publication"},{"number":"2","date":"2024-07-16T16:00:00.000Z","summary":"Clarified versions for 11.0 branch"},{"number":"3","date":"2024-07-25T22:00:00.000Z","summary":"Clarified requirements for RADIUS server"},{"number":"4","date":"2025-04-30T10:45:00.000Z","summary":"Updated fix availability for PAN-OS 10.1, 10.2, and Prisma Access"}],"status":"final","version":"1"}},"product_tree":{"branches":[{"name":"Palo Alto Networks","category":"vendor","branches":[{"name":"PAN-OS","category":"product_name","branches":[{"category":"product_version_range","name":"vers:generic/PAN-OS>=11.2.0","product":{"name":"Palo Alto Networks PAN-OS","product_id":"PANW-PAN-OS-119"}},{"category":"product_version_range","name":"vers:generic/PAN-OS<11.1.3","product":{"name":"Palo Alto Networks PAN-OS","product_id":"PANW-PAN-OS-183"}},{"category":"product_version_range","name":"vers:generic/PAN-OS>=11.1.3","product":{"name":"Palo Alto Networks PAN-OS","product_id":"PANW-PAN-OS-183"}},{"category":"product_version_range","name":"vers:generic/PAN-OS<10.2.4-h21","product":{"name":"Palo Alto Networks PAN-OS","product_id":"PANW-PAN-OS-677"}},{"category":"product_version_range","name":"vers:generic/PAN-OS>=10.2.10","product":{"name":"Palo Alto Networks PAN-OS","product_id":"PANW-PAN-OS-184"}},{"category":"product_version_range","name":"vers:generic/PAN-OS>=10.2.9-h8","product":{"name":"Palo Alto Networks PAN-OS","product_id":"PANW-PAN-OS-678"}},{"category":"product_version_range","name":"vers:generic/PAN-OS>=10.2.8-h20","product":{"name":"Palo Alto Networks PAN-OS","product_id":"PANW-PAN-OS-675"}},{"category":"product_version_range","name":"vers:generic/PAN-OS>=10.2.7-h21","product":{"name":"Palo Alto Networks PAN-OS","product_id":"PANW-PAN-OS-590"}},{"category":"product_version_range","name":"vers:generic/PAN-OS>=10.2.4-h21","product":{"name":"Palo Alto Networks PAN-OS","product_id":"PANW-PAN-OS-677"}},{"category":"product_version_range","name":"vers:generic/PAN-OS<10.1.14","product":{"name":"Palo Alto Networks PAN-OS","product_id":"PANW-PAN-OS-127"}},{"category":"product_version_range","name":"vers:generic/PAN-OS>=10.1.14","product":{"name":"Palo Alto Networks PAN-OS","product_id":"PANW-PAN-OS-127"}},{"category":"product_version_range","name":"vers:generic/PAN-OS>=10.1.12-h4","product":{"name":"Palo Alto Networks PAN-OS","product_id":"PANW-PAN-OS-679"}},{"category":"product_version_range","name":"vers:generic/PAN-OS<11.0.4-h5","product":{"name":"Palo Alto Networks PAN-OS","product_id":"PANW-PAN-OS-185"}},{"category":"product_version_range","name":"vers:generic/PAN-OS>=11.0.4-h5","product":{"name":"Palo Alto Networks PAN-OS","product_id":"PANW-PAN-OS-185"}},{"category":"product_version_range","name":"vers:generic/PAN-OS>=11.0.6","product":{"name":"Palo Alto Networks PAN-OS","product_id":"PANW-PAN-OS-139"}},{"category":"product_version_range","name":"vers:generic/PAN-OS<9.1.19","product":{"name":"Palo Alto Networks PAN-OS","product_id":"PANW-PAN-OS-186"}},{"category":"product_version_range","name":"vers:generic/PAN-OS>=9.1.19","product":{"name":"Palo Alto Networks PAN-OS","product_id":"PANW-PAN-OS-186"}}]},{"name":"Cloud NGFW","category":"product_name","branches":[{"category":"product_version","name":"Cloud NGFW All","product":{"name":"Palo Alto Networks Cloud NGFW","product_id":"PANW-Cloud-NGFW-1"}}]},{"name":"Prisma Access","category":"product_name","branches":[{"category":"product_version","name":"Prisma Access All","product":{"name":"Palo Alto Networks Prisma Access","product_id":"PANW-Prisma-Access-1"}}]}]}]},"vulnerabilities":[{"cve":"CVE-2024-3596","product_status":{"fixed":["PANW-PAN-OS-183","PANW-PAN-OS-184","PANW-PAN-OS-678","PANW-PAN-OS-675","PANW-PAN-OS-590","PANW-PAN-OS-677","PANW-PAN-OS-127","PANW-PAN-OS-679","PANW-PAN-OS-185","PANW-PAN-OS-139","PANW-PAN-OS-186"],"known_affected":["PANW-PAN-OS-183","PANW-PAN-OS-677","PANW-PAN-OS-127","PANW-PAN-OS-185","PANW-PAN-OS-186"],"known_not_affected":["PANW-PAN-OS-119","PANW-Cloud-NGFW-1","PANW-Prisma-Access-1"]},"notes":[{"category":"description","text":"This vulnerability allows an attacker performing a meddler-in-the-middle attack between Palo Alto Networks PAN-OS firewall and a RADIUS server to bypass authentication and escalate privileges to ‘superuser’ when RADIUS authentication is in use and either CHAP or PAP is selected in the RADIUS server profile.\n\nCHAP and PAP are protocols with no Transport Layer Security (TLS), and hence vulnerable to meddler-in-the-middle attacks. Neither protocol should be used unless they are encapsulated by an encrypted tunnel. If they are in use, but are encapsulated within a TLS tunnel, they are not vulnerable to this attack.\n\nFor additional information regarding this vulnerability, please see https://blastradius.fail."}],"references":[{"category":"external","summary":"NVD - CVE-2024-3596","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-3596"},{"category":"self","summary":"Palo Alto Networks Security Advisory CVE-2024-3596","url":"https://security.paloaltonetworks.com/CVE-2024-3596"}],"threats":[{"category":"impact","description":"This vulnerability allows an attacker performing a meddler-in-the-middle attack between Palo Alto Networks PAN-OS firewall and a RADIUS server to bypass authentication and escalate privileges to ‘superuser’ when RADIUS authentication is in use and either CHAP or PAP is selected in the RADIUS server profile.\n\nCHAP and PAP are protocols with no Transport Layer Security (TLS), and hence vulnerable to meddler-in-the-middle attacks. Neither protocol should be used unless they are encapsulated by an encrypted tunnel. If they are in use, but are encapsulated within a TLS tunnel, they are not vulnerable to this attack.\n\nFor additional information regarding this vulnerability, please see https://blastradius.fail."}],"scores":[{"cvss_v4":{"version":"4.0","attackVector":"NETWORK","attackComplexity":"HIGH","attackRequirements":"PRESENT","privilegesRequired":"NONE","userInteraction":"PASSIVE","vulnConfidentialityImpact":"NONE","subConfidentialityImpact":"HIGH","vulnIntegrityImpact":"NONE","subIntegrityImpact":"HIGH","vulnAvailabilityImpact":"NONE","subAvailabilityImpact":"NONE","Safety":"NOT_DEFINED","Automatable":"NO","Recovery":"AUTOMATIC","valueDensity":"CONCENTRATED","vulnerabilityResponseEffort":"MODERATE","providerUrgency":"AMBER","exploitMaturity":"NOT_DEFINED","baseSeverity":"MEDIUM","baseScore":5.3,"threatSeverity":"MEDIUM","threatScore":5.3,"vectorString":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/AU:N/R:A/V:C/RE:M/U:Amber"},"products":["PANW-PAN-OS-183","PANW-PAN-OS-677","PANW-PAN-OS-127","PANW-PAN-OS-185","PANW-PAN-OS-186"]}]}]}