Last revised: 11/17/2016
Palo Alto Networks web management server improperly handles a buffer overflow. This can result in a possible remote code execution (RCE). (Ref # PAN-63073/102953/CVE-2016-9150)
An attacker with network access to the management web interface may be able to perform a remote code execution (RCE) or denial-of-service (DoS).
PAN-OS 5.0.19 and earlier; PAN-OS 5.1.12 and earlier; PAN-OS 6.0.14 and earlier; PAN-OS 6.1.14 and earlier; PAN-OS 7.0.10 and earlier; PAN-OS 7.1.5 and earlier
PAN-OS 5.0.20 and later; PAN-OS 5.1.13 and later; PAN-OS 6.0.15 and later; PAN-OS 6.1.15 and later; PAN-OS 7.0.11 and later; PAN-OS 7.1.6 and later
Palo Alto Networks recommends to implement best practice by allowing web interface access only to a dedicated management network. Additionally, restrict the set of IP addresses to a subset of authorized sources that you allow to interact with the management network.
Palo Alto Networks would like to thank Tavis Ormandy from the Google Security Team for reporting this issue to us.