PAN-SA-2024-0003 Informational Bulletin: Impact of OSS CVEs in Prisma SD-WAN ION
Informational
Description
The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to Prisma SD-WAN ION. While Prisma SD-WAN ION may include the affected OSS package, Prisma SD-WAN ION does not offer any scenarios required for an attacker to successfully exploit these vulnerabilities and is not impacted.
| CVE | Summary |
|---|---|
| CVE-2007-2768 | One-Time Passwords in Everything (OPIE) is not used on Prisma SD-WAN ION, so there is no impact. |
| CVE-2016-20012 | This is disputed by the OpenSSH maintainers and no official patch has been released for OpenSSH. This will not be treated as a valid vulnerability. |
| CVE-2021-41617 | AuthorizedKeysCommand and AuthorizedPrincipalsCommand are not set in sshd_config on Prisma SD-WAN ION devices, so there is no impact. |
| CVE-2023-28531 | Prisma SD-WAN ION devices do not use ssh-agent and are therefore not impacted. |
| CVE-2023-38408 | Prisma SD-WAN ION devices do not use ssh-agent and are therefore not impacted. |
| CVE-2023-51384 | Prisma SD-WAN ION devices do not use ssh-agent and are therefore not impacted. |
| CVE-2023-51385 | The configuration settings required for exploitation are not made available in ssh_config, and customers do not have the ability to modify ssh_config. Therefore, there is no impact. |
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| Prisma SD-WAN ION | None | All |
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of these issues in Prisma SD-WAN ION.
Solution
No software updates are required at this time.