Kernel Vulnerability (PAN-SA-2017-0003)

Last revised: 04/28/2017

Summary

A vulnerability exists in the kernel of PAN-OS that may result in an elevation of privilege. This issue is publicly known as Dirty COW (ref # PAN-68074 / CVE-2016-5195).

Severity: High

PAN-OS may be impacted by the Dirty COW (CVE-2016-5195) attack. A race condition was found in the way the Linux kernel's memory subsystem handles the copy-on-write breakage of private read-only memory mappings. An attacker would first require access to a shell on the device before they could use this exploit. Shell access is significantly restricted on the device. The Command Line Interface (CLI) is not shell access and therefore this issue cannot be exploited by the CLI.

Products Affected

PAN-OS 5.1, PAN-OS 6.0, PAN-OS 6.1, PAN-OS 7.0.13, PAN-OS 7.1.7 and earlier

Available Updates

PAN-OS 7.0.14 and later, PAN-OS 7.1.8 and later

Workarounds and Mitigations

Palo Alto Networks recommends to implement best practice by allowing web interface access only to a dedicated management network. Additionally, restrict the set of IP addresses to a subset of authorized sources that you allow to interact with the management network.

Acknowledgements

N/A