CVE-2024-9471 PAN-OS: Privilege Escalation (PE) Vulnerability in XML API
Description
A privilege escalation (PE) vulnerability in the XML API of Palo Alto Networks PAN-OS software enables an authenticated PAN-OS administrator with restricted privileges to use a compromised XML API key to perform actions as a higher privileged PAN-OS administrator beyond what the XML API permits.
Product Status
| Versions | Affected | Unaffected |
|---|---|---|
| Cloud NGFW | None | All |
| PAN-OS 11.1 | None | All |
| PAN-OS 11.0 | < 11.0.3 | >= 11.0.3 |
| PAN-OS 10.2 | < 10.2.8 | >= 10.2.8 |
| PAN-OS 10.1 | < 10.1.11 | >= 10.1.11 |
| PAN-OS 9.1 | All | None |
| PAN-OS 9.0 | All | None |
| Prisma Access | None | All |
Required Configuration for Exposure
This issue is applicable only to PAN-OS configurations that have XML API access enabled.
You can find more information about the XML API here: https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-panorama-api/pan-os-api-authentication/enable-api-access
Severity: MEDIUM, Suggested Urgency: REDUCED
CVSS-B: 5.1 (CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/AU:N/R:A/V:D/RE:L/U:Green)
Exploitation Status
Palo Alto Networks is not aware of any malicious exploitation of this issue.
Weakness Type
CWE-269 Improper Privilege Management
Solution
This issue is fixed in PAN-OS 10.1.11, PAN-OS 10.2.8, PAN-OS 11.0.3, and all later PAN-OS versions.
Workarounds and Mitigations
This issue requires the attacker to have authenticated access to the PAN-OS XML API. You can mitigate the effect this issue has on your environment by following the Administrative Access Best Practices in the PAN-OS technical documentation at https://docs.paloaltonetworks.com/best-practices.
Each XML API key is associated with a specific user. XML API keys are not meant to be shared between users.