Palo Alto Networks Security Advisories / CVE-2019-17437

CVE-2019-17437 PAN-OS: Custom-role users may escalate privileges


047910
Severity 7.8 · HIGH
Attack Vector LOCAL
Scope UNCHANGED
Attack Complexity LOW
Confidentiality Impact HIGH
Privileges Required LOW
Integrity Impact HIGH
User Interaction NONE
Availability Impact HIGH

Description

An improper authentication check in Palo Alto Networks PAN-OS may allow an authenticated low privileged non-superuser custom role user to elevate privileges and become superuser.

This issue affects PAN-OS 7.1 versions prior to 7.1.25; 8.0 versions prior to 8.0.20; 8.1 versions prior to 8.1.11; 9.0 versions prior to 9.0.5.

PAN-OS version 7.0 and prior EOL versions have not been evaluated for this issue.

Product Status

VersionsAffectedUnaffected
PAN-OS 9.0< 9.0.5>= 9.0.5
PAN-OS 8.1< 8.1.11>= 8.1.11
PAN-OS 8.0< 8.0.20>= 8.0.20
PAN-OS 7.1< 7.1.25>= 7.1.25

Releases <= 7.0 have not been evaluated.

Required Configuration for Exposure

This issue only affects devices configured with a low privileged custom role user with any combination of roles or privileges.

Severity: HIGH

CVSSv3.1 Base Score: 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Weakness Type

CWE-280 Improper Handling of Insufficient Permissions or Privileges

Solution

This issue has been resolved in 7.1.25, 8.0.20, 8.1.11, 9.0.5 and all subsequent versions.

Workarounds and Mitigations

Remove any untrusted custom-role users from the device or disable their access until fixes can be applied. Restrict access to the device to only trusted users.

Acknowledgments

Palo Alto Networks thanks Christophe Schleypen of NCIA / NCIRC for discovering and reporting the issue.
© 2024 Palo Alto Networks, Inc. All rights reserved.