PAN-SA-2015-0005 Device management authentication bypass
Description
Devices running PAN-OS 7.0.0 (including Panorama) that are configured to use LDAP for captive portal or device management authentication do not properly perform authentication against the LDAP server in specific cases, leading to an authentication bypass. There is no issue if you are using Radius or local authentication instead of LDAP or prior versions of PAN-OS; nor does this affect authentication attempts from GlobalProtect clients.
This vulnerability can lead to authentication bypass for captive portal or device management login attempts.
This issue only affects PAN-OS 7.0.0
Product Status
Versions | Affected | Unaffected |
---|---|---|
PAN-OS 7.0 | 7.0.0 | >= 7.0.1 |
Severity: CRITICAL
CVSSv3.1 Base Score: 9.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Solution
PAN-OS 7.0.1 and subsequent.
Workarounds and Mitigations
This issue only affects devices and Panorama configured to use LDAP for captive portal or device management authentication. This issue is strongly mitigated by following security appliance management best practices, requiring that network access to the management interfaces be isolated and strictly limited only to security administration personnel.