Command Injection in Command Line Interface (PAN-SA-2016-0002)

Last revised: 03/24/2016

Summary

Palo Alto Networks firewalls implement a command line interface for interactive configuration through a serial interface or a remote SSH session. An issue was identified that can cause incorrect parsing of a specific SSH command parameter, leading to arbitrary command execution on the OS level. This vulnerability requires successful authentication but can be used to execute OS commands with root privileges if the logged on user has administrative privileges. (Ref #89706) (CVE-2016-3654)

Severity: Low

This vulnerability is exploitable only by authenticated administrators that are granted access to the device management CLI.

Products Affected

PAN-OS releases 5.0.17 and prior; 5.1.10 and prior; 6.0.12 and prior; 6.1.9 and prior; 7.0.5 and prior

Available Updates

PAN-OS releases 5.0.18 and newer; 5.1.11 and newer; 6.0.13 and newer; 6.1.10 and newer; 7.0.5H2 and newer

Workarounds and Mitigations

This issue only affects authenticated device users and Panorama users with CLI access enabled. Deployments making use of Role-Based Access Control (RBAC) do not offer CLI access by default. As a best practice, CLI access should be carefully considered, and granted only when necessary to privileged administrators.

Acknowledgements

Felix Wilhelm, ERNW Research