CVE-2016-3654 Command Injection in Command Line Interface
Description
Palo Alto Networks firewalls implement a command line interface for interactive configuration through a serial interface or a remote SSH session. An issue was identified that can cause incorrect parsing of a specific SSH command parameter, leading to arbitrary command execution on the OS level. This vulnerability requires successful authentication but can be used to execute OS commands with root privileges if the logged on user has administrative privileges. (Ref #89706) (CVE-2016-3654)
This vulnerability is exploitable only by authenticated administrators that are granted access to the device management CLI.
This issue affects PAN-OS releases 5.0.17 and prior; 5.1.10 and prior; 6.0.12 and prior; 6.1.9 and prior; 7.0.5 and prior
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| PAN-OS 7.0 | <= 7.0.5 | >= 7.0.5H2 |
| PAN-OS 6.1 | <= 6.1.9 | >= 6.1.10 |
| PAN-OS 6.0 | <= 6.0.12 | >= 6.0.13 |
| PAN-OS 5.1 | <= 5.1.10 | >= 5.1.11 |
| PAN-OS 5.0 | <= 5.0.17 | >= 5.0.18 |
Severity: HIGH
CVSSv3.1 Base Score: 7.2 (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
Weakness Type
CWE-20 Improper Input Validation
Solution
PAN-OS releases 5.0.18 and newer; 5.1.11 and newer; 6.0.13 and newer; 6.1.10 and newer; 7.0.5H2 and newer
Workarounds and Mitigations
This issue only affects authenticated device users and Panorama users with CLI access enabled. Deployments making use of Role-Based Access Control (RBAC) do not offer CLI access by default. As a best practice, CLI access should be carefully considered, and granted only when necessary to privileged administrators.