Vulnerability in PAN-OS on Management Interface (PAN-SA-2017-0027)

Last revised: 12/05/2017

Summary

Through the exploitation of a combination of unrelated vulnerabilities, and via the management interface of the device, an attacker could remotely execute code on PAN-OS in the context of the highest privileged user. (Ref # PAN-61094 / PAN-80990 / PAN-80993 / PAN-80994 / CVE-2017-15944)

Severity: Critical

PAN-OS contains multiple vulnerabilities that, when exploited in conjunction could lead to remote code execution prior to authentication.

Products Affected

PAN-OS 6.1.18 and earlier, PAN-OS 7.0.18 and earlier, PAN-OS 7.1.13 and earlier, PAN-OS 8.0.5 and earlier

Available Updates

PAN-OS 6.1.19 and later, PAN-OS 7.0.19 and later, PAN-OS 7.1.14 and later, PAN-OS 8.0.6 and later

Workarounds and Mitigations

This issue affects the management interface of the device and is strongly mitigated by following best practices for the isolation of management interfaces for security appliances. We recommend that the management interface be isolated and strictly limited only to security administration personnel through either network segmentation or using the IP access control list restriction feature within PAN-OS.

Acknowledgements

Palo Alto Networks would like to thank Philip Pettersson for reporting this issue