Insecure Server Configuration (PAN-SA-2016-0029)

Last revised: 10/18/2016

Summary

An incorrect Web management server configuration was identified in PAN-OS. (Ref # PAN-52038/86767).

Severity: High

This post-authentication issue affects the management interface of the device, where an incorrect configuration could lead to JavaScript execution.

Products Affected

PAN-OS 5.0.19 and earlier; PAN-OS 5.1.12 and earlier; PAN-OS 6.0.14 and earlier; PAN-OS 6.1.12 and earlier; PAN-OS 7.0.7 and earlier

Available Updates

PAN-OS 5.0.20 and later; PAN-OS 5.1.13 and later; PAN-OS 6.0.15 and later; PAN-OS 6.1.13 and later; PAN-OS 7.0.8 and later

Workarounds and Mitigations

This issue is available only to authenticated users on the web interface. Palo Alto Networks recommends implementing best practices, only allowing management access to a restricted set of IP address, and dedicating management of the device to the management interface only.

Acknowledgements

ringzero