Last revised: 09/25/2014
Palo Alto Networks has become aware of a remote code execution vulnerability in the Bash shell utility. This vulnerability (CVE-2014-6271) allows for remote code execution through multiple vectors due to the way Bash is often used on linux systems for processing commands. Additional information can be found here: http://seclists.org/oss-sec/2014/q3/650
Successful attack requires that a user be able to add environmental variables to the bash environment. This is possible only for PAN-OS users that successfully authenticate to PAN-OS via SSH. Exploitation does not directly result in root access to the device, as injected commands are run with the OS privileges of the logged in user. Critical PAN-OS data is only writeable by the root user.
This issue affects PAN-OS and Panorama 5.0.14 and earlier; 5.1.9 and earlier; 6.0.5 and earlier; and 6.1.0 and earlier.
PAN-OS and Panorama 5.0.15; PAN-OS and Panorama 5.1.10; PAN-OS and Panorama 6.0.6; PAN-OS and Panorama 6.1.1.
This attack is mitigated by the fact that successful attack can only be performed by authenticated ssh PAN-OS users. As an additional mitigation, administrators can disable SSH access on any/all management interfaces configured on the device.