CVE-2024-5916 PAN-OS: Cleartext Exposure of External System Secrets
Description
An information exposure vulnerability in Palo Alto Networks PAN-OS software enables a local system administrator to unintentionally disclose secrets, passwords, and tokens of external systems. A read-only administrator who has access to the config log, can read secrets, passwords, and tokens to external systems.
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| Cloud NGFW | Before 8/15 on Azure, Before 8/23 on AWS | On or after 8/15 on Azure, On or after 8/23 on AWS |
| PAN-OS 11.1 | None | All |
| PAN-OS 11.0 | < 11.0.4 | >= 11.0.4 |
| PAN-OS 10.2 | < 10.2.8 | >= 10.2.8 |
| PAN-OS 10.1 | None | All |
| PAN-OS 9.1 | None | All |
| Prisma Access | None | All |
Severity: MEDIUM
CVSSv4.0 Base Score: 6 (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:L/VI:N/VA:N/SC:H/SI:N/SA:N/AU:N/R:U/V:C/RE:H/U:Amber)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Weakness Type
CWE-313: Cleartext Storage in a File or on Disk
Solution
This issue is fixed in PAN-OS 10.2.8, PAN-OS 11.0.4, and all later PAN-OS versions. This issue is fixed in Cloud NGFW on or after 8/15 on Azure, Cloud NGFW on or after 8/23 on AWS, and all later Cloud NGFW versions.
You should also revoke the secrets, passwords, and tokens that are configured in all server profiles of affected PAN-OS firewalls (Device > Server Profiles) after upgrading PAN-OS.