Information Disclosure in PAN-OS Management API Usage (PAN-SA-2019-0019)

Last revised: 07/15/2019

Summary

An Information Disclosure vulnerability exists in PAN-OS Management API usage (Ref # PAN-107239 and PAN-118869 / CVE-2019-1575)

Severity: Medium

Successful exploitation may allow for an authenticated user with read-only privileges to extract the API key of the device and the username/password from the XML API (in PAN-OS) and possibly escalate privileges granted to them.

Products Affected

PAN-OS 7.1.23 and earlier, PAN-OS 8.0.18 and earlier, PAN-OS 8.1.8-h4 and earlier, and PAN-OS 9.0.2 and earlier.

Available Updates

PAN-OS 7.1.24 and later, PAN-OS 8.0.19 and later, PAN-OS 8.1.8-h5 and later, and PAN-OS 9.0.2-h4 and later.

Workarounds and Mitigations

Please see the detailed FAQ here: https://live.paloaltonetworks.com/t5/Customer-Advisories/Palo-Alto-Networks-Security-Advisory-PAN-SA-2019-0019/ta-p/276661.

Acknowledgements

Palo Alto Networks would like to thank Bartłomiej Stasiek of ING Tech Poland, Ruben Jacobi of ON2IT Group, Michael E. Davis - University of Arkansas, and Alycia N. Carey - University of Arkansas for reporting this issue.