Palo Alto Networks Security Advisories / CVE-2024-3596

CVE-2024-3596 PAN-OS: CHAP and PAP When Used with RADIUS Authentication Lead to Privilege Escalation

047910
Severity 5.3 · MEDIUM
Urgency MODERATE
Response Effort MODERATE
Recovery AUTOMATIC
Value Density CONCENTRATED
Attack Vector NETWORK
Attack Complexity HIGH
Attack Requirements PRESENT
Automatable NO
User Interaction PASSIVE
Product Confidentiality NONE
Product Integrity NONE
Product Availability NONE
Privileges Required NONE
Subsequent Confidentiality HIGH
Subsequent Integrity HIGH
Subsequent Availability NONE

Description

This vulnerability allows an attacker performing a meddler-in-the-middle attack between Palo Alto Networks PAN-OS firewall and a RADIUS server to bypass authentication and escalate privileges to ‘superuser’ when RADIUS authentication is in use and either CHAP or PAP is selected in the RADIUS server profile.

CHAP and PAP are protocols with no Transport Layer Security (TLS), and hence vulnerable to meddler-in-the-middle attacks. Neither protocol should be used unless they are encapsulated by an encrypted tunnel. If they are in use, but are encapsulated within a TLS tunnel, they are not vulnerable to this attack.

For additional information regarding this vulnerability, please see https://blastradius.fail.

Product Status

VersionsAffectedUnaffected
Cloud NGFW NoneAll
PAN-OS 11.2NoneAll
PAN-OS 11.1< 11.1.3>= 11.1.3
PAN-OS 11.0< 11.0.4-h5, < 11.0.6>= 11.0.4-h5, 11.0.6 (ETA: 9/26)
PAN-OS 10.2< 10.2.10>= 10.2.10
PAN-OS 10.1< 10.1.14>= 10.1.14
PAN-OS 9.1< 9.1.19>= 9.1.19
Prisma Access AllNone (Fix ETA: September 15)

Required Configuration for Exposure

To be vulnerable, Palo Alto Networks PAN-OS firewalls must be configured to use CHAP or PAP as the authentication protocol for a RADIUS server. Note that PAP differs from EAP-TTLS with PAP, which is not vulnerable to this attack.

Severity: MEDIUM

CVSSv4.0 Base Score: 5.3 (CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/AU:N/R:A/V:C/RE:M/U:Amber)

Exploitation Status

Palo Alto Networks is aware of proof of concept code demonstrating how to exploit this generic issue.

Weakness Type

CWE-290 Authentication Bypass by Spoofing

Solution

The best way to address this issue is by using encrypted and authenticated channels that offer modern cryptographic security guarantees.

Configure an alternate authentication mechanism if you are using RADIUS with a CHAP or PAP authentication protocol. PAN-OS provides the following alternate RADIUS authentication mechanisms: PEAP-MSCHAPv2 (default), PEAP with GTC, and EAP-TTLS with PAP. For more information, please see https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/authentication/configure-radius-authentication.

In addition, instead of using RADIUS, you can configure an alternate authentication mechanism using one of the options described here: https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/authentication.

If you are a Prisma Access customer using a RADIUS configuration with PAP or CHAP in your profile and have not applied one of the changes described above, you will be contacted to schedule an upgrade window.

PAN-OS 9.1.19, PAN-OS 10.1.14, PAN-OS 10.2.10, PAN-OS 11.0.7, PAN-OS 11.1.3, and all later PAN-OS versions add a new feature to enforce an authentication check in RADIUS. This new feature is disabled by default to match the existing behavior. To enable this feature, run the following commands:

set auth radius-require-msg-authentic yes

To confirm that the setting was correctly enabled, run the following command:

show auth radius-require-msg-authentic

If set correctly, the response will say "yes". This setting is persistent across reboots. No ‘commit’ is required for this to take effect.

Please note that this feature requires that the RADIUS server has been updated to support the new protocol changes, as detailed in https://kb.cert.org/vuls/id/456537. If your RADIUS authentication breaks when radius-require-msg-authentic is set to yes, please work with your RADIUS server vendor for support with the RADIUS server upgrade process.

Acknowledgments

Palo Alto Networks thanks Sharon Goldberg, Miro Haller, Nadia Heninger, Mike Milano, Dan Shumow, Marc Stevens, and Adam Suhl for discovering and reporting this issue.

Timeline

Clarified requirements for RADIUS server
Clarified versions for 11.0 branch
Initial publication
© 2024 Palo Alto Networks, Inc. All rights reserved.