Custom-role users may escalate privileges (CVE-2019-17437) (PAN-SA-2019-0038)

Last revised: 12/04/2019

Summary

An improper authentication check in Palo Alto Networks PAN-OS may allow an authenticated low privileged non-superuser custom role user to elevate privileges and become superuser. This issue only affects devices configured with a low privileged custom role user with any combination of roles or privileges. This issue was discovered by an external security researcher. This issue was internally tracked as PAN-115697. This has been assigned CVE-2019-17437.

Severity: HIGH

CVSS Score for this issue is 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Products Affected

This issue affects PAN-OS 7.1 versions prior to 7.1.25; 8.0 versions prior to 8.0.20; 8.1 versions prior to 8.1.11; 9.0 versions prior to 9.0.5. PAN-OS version 7.0 and prior EOL versions have not been evaluated for this issue.

Available Updates

This issue has been resolved in 7.1.25, 8.0.20, 8.1.11, 9.0.5 and all subsequent versions.

Workarounds and Mitigations

Remove any untrusted custom-role users from the device or disable their access until fixes can be applied. Restrict access to the device to only trusted users.

Acknowledgements

Christophe Schleypen of NCIA / NCIRC