Palo Alto Networks Security Advisories / CVE-2019-17437

CVE-2019-17437 PAN-OS: Custom-role users may escalate privileges

047910
Severity 7.8 · HIGH
Attack Vector LOCAL
Scope UNCHANGED
Attack Complexity LOW
Confidentiality Impact HIGH
Privileges Required LOW
Integrity Impact HIGH
User Interaction NONE
Availability Impact HIGH
NVD JSON
Published 2019-12-04
Updated
Reference PAN-115697 PAN-SA-2019-0038
Discovered externally

Description

An improper authentication check in Palo Alto Networks PAN-OS may allow an authenticated low privileged non-superuser custom role user to elevate privileges and become superuser.

This issue affects PAN-OS 7.1 versions prior to 7.1.25; 8.0 versions prior to 8.0.20; 8.1 versions prior to 8.1.11; 9.0 versions prior to 9.0.5.

PAN-OS version 7.0 and prior EOL versions have not been evaluated for this issue.

Product Status

VersionsAffectedUnaffected
PAN-OS 9.0< 9.0.5>= 9.0.5
PAN-OS 8.1< 8.1.11>= 8.1.11
PAN-OS 8.0< 8.0.20>= 8.0.20
PAN-OS 7.1< 7.1.25>= 7.1.25

Releases <= 7.0 have not been evaluated.

Required Configuration for Exposure

This issue only affects devices configured with a low privileged custom role user with any combination of roles or privileges.

Severity: HIGH

CVSSv3.1 Base Score: 7.8 (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)

Weakness Type

CWE-280 Improper Handling of Insufficient Permissions or Privileges

Solution

This issue has been resolved in 7.1.25, 8.0.20, 8.1.11, 9.0.5 and all subsequent versions.

Workarounds and Mitigations

Remove any untrusted custom-role users from the device or disable their access until fixes can be applied. Restrict access to the device to only trusted users.

Acknowledgments

Christophe Schleypen of NCIA / NCIRC
Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure PolicyReport vulnerabilitiesManage subscriptions
© 2024 Palo Alto Networks, Inc. All rights reserved.