Palo Alto Networks Security Advisories / CVE-2024-3596

CVE-2024-3596 PAN-OS: CHAP and PAP When Used with RADIUS Authentication Lead to Privilege Escalation

Urgency MODERATE

047910
Severity 5.3 · MEDIUM
Exploit Maturity N/A
Response Effort MODERATE
Recovery AUTOMATIC
Value Density CONCENTRATED
Attack Vector NETWORK
Attack Complexity HIGH
Attack Requirements PRESENT
Automatable NO
User Interaction PASSIVE
Product Confidentiality NONE
Product Integrity NONE
Product Availability NONE
Privileges Required NONE
Subsequent Confidentiality HIGH
Subsequent Integrity HIGH
Subsequent Availability NONE
CVE JSON CSAF
Published 2024-07-10
Updated 2025-04-30
Reference PAN-247511
Discovered externally

Description

This vulnerability allows an attacker performing a meddler-in-the-middle attack between Palo Alto Networks PAN-OS firewall and a RADIUS server to bypass authentication and escalate privileges to ‘superuser’ when RADIUS authentication is in use and either CHAP or PAP is selected in the RADIUS server profile.

CHAP and PAP are protocols with no Transport Layer Security (TLS), and hence vulnerable to meddler-in-the-middle attacks. Neither protocol should be used unless they are encapsulated by an encrypted tunnel. If they are in use, but are encapsulated within a TLS tunnel, they are not vulnerable to this attack.

For additional information regarding this vulnerability, please see https://blastradius.fail.

Product Status

VersionsAffectedUnaffected
Cloud NGFWNone
All
PAN-OS 11.2None
All
PAN-OS 11.1< 11.1.3
>= 11.1.3
PAN-OS 11.0< 11.0.4-h5
< 11.0.6
>= 11.0.4-h5
>= 11.0.6
PAN-OS 10.2< 10.2.4-h21
< 10.2.7-h21
< 10.2.8-h20
< 10.2.9-h8
< 10.2.10
>= 10.2.4-h21
>= 10.2.7-h21
>= 10.2.8-h20
>= 10.2.9-h8
>= 10.2.10
PAN-OS 10.1< 10.1.12-h4
< 10.1.14
>= 10.1.12-h4
>= 10.1.14
PAN-OS 9.1< 9.1.19
>= 9.1.19
Prisma AccessNone
All

Required Configuration for Exposure

To be vulnerable, Palo Alto Networks PAN-OS firewalls must be configured to use CHAP or PAP as the authentication protocol for a RADIUS server. Note that PAP differs from EAP-TTLS with PAP, which is not vulnerable to this attack.

Severity: MEDIUM, Suggested Urgency: MODERATE

CVSS-BT: 5.3 / CVSS-B: 5.3 (CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/AU:N/R:A/V:C/RE:M/U:Amber)

Exploitation Status

Palo Alto Networks is aware of proof of concept code demonstrating how to exploit this generic issue.

Weakness Type

CWE-290 Authentication Bypass by Spoofing

Solution

The best way to address this issue is by using encrypted and authenticated channels that offer modern cryptographic security guarantees.

Configure an alternate authentication mechanism if you are using RADIUS with a CHAP or PAP authentication protocol. PAN-OS provides the following alternate RADIUS authentication mechanisms: PEAP-MSCHAPv2 (default), PEAP with GTC, and EAP-TTLS with PAP. For more information, please see https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/authentication/configure-radius-authentication.

In addition, instead of using RADIUS, you can configure an alternate authentication mechanism using one of the options described here: https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-admin/authentication.

If you are a Prisma Access customer using a RADIUS configuration with PAP or CHAP in your profile and have not applied one of the changes described above, please reach out to TAC/CS to schedule an upgrade window.

PAN-OS 9.1.19, PAN-OS 10.1.14, PAN-OS 10.2.10, PAN-OS 11.0.7, PAN-OS 11.1.3, and all later PAN-OS versions add a new feature to enforce an authentication check in RADIUS. This new feature is disabled by default to match the existing behavior. To enable this feature, run the following commands:

set auth radius-require-msg-authentic yes

To confirm that the setting was correctly enabled, run the following command:

show auth radius-require-msg-authentic

If set correctly, the response will say "yes". This setting is persistent across reboots. No ‘commit’ is required for this to take effect.

Please note that this feature requires that the RADIUS server has been updated to support the new protocol changes, as detailed in https://kb.cert.org/vuls/id/456537. If your RADIUS authentication breaks when radius-require-msg-authentic is set to yes, please work with your RADIUS server vendor for support with the RADIUS server upgrade process.

Workarounds and Mitigations

TBD

Acknowledgments

Palo Alto Networks thanks Sharon Goldberg, Miro Haller, Nadia Heninger, Mike Milano, Dan Shumow, Marc Stevens, and Adam Suhl for discovering and reporting this issue.

CPEs

cpe:2.3:o:paloaltonetworks:pan-os:11.1.2:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.1:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.1.0:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.5:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:h4:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.4:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.3:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.2:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.1:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:11.0.0:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h7:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h6:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h5:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h4:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.9:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h19:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h18:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h17:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h16:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h15:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h14:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h13:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h12:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h11:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h10:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h9:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h8:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h7:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h6:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h5:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h4:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.8:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h20:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h19:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h18:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h17:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h16:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h15:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h14:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h13:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h12:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h11:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h10:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h9:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h8:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h7:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h6:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h5:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h4:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.7:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.6:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.5:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h20:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h19:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h18:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h17:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h16:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h15:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h14:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h13:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h12:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h11:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h10:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h9:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h8:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h7:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h6:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h5:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h4:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.4:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.3:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.2:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.1:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.2.0:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.13:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.12:h3:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.12:h2:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.12:h1:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.12:-:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.11:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.10:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.9:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.8:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.7:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.6:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.5:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.4:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.3:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.2:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.1:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:10.1.0:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:9.1.18:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:9.1.17:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:9.1.16:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:9.1.15:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:9.1.14:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:9.1.13:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:9.1.12:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:9.1.11:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:9.1.10:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:9.1.9:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:9.1.8:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:9.1.7:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:9.1.6:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:9.1.5:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:9.1.4:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:9.1.3:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:9.1.2:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:9.1.1:*:*:*:*:*:*:*

cpe:2.3:o:paloaltonetworks:pan-os:9.1.0:*:*:*:*:*:*:*

cpe:2.3:undefined:paloaltonetworks:palo_alto_networks_pan-os:9.1.7:-:*:*:*:*:*:*

Timeline

Updated fix availability for PAN-OS 10.1, 10.2, and Prisma Access
Clarified requirements for RADIUS server
Clarified versions for 11.0 branch
Initial publication
Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure PolicyReport vulnerabilitiesManage subscriptions
© 2025 Palo Alto Networks, Inc. All rights reserved.