Palo Alto Networks Security Advisories / PAN-SA-2016-0007

PAN-SA-2016-0007 User-ID Agent API Access


047910
Severity 5.3 · MEDIUM
Attack Vector LOCAL
Scope CHANGED
Attack Complexity HIGH
Confidentiality Impact HIGH
Privileges Required HIGH
Integrity Impact NONE
User Interaction NONE
Availability Impact NONE
JSON
Published 2016-05-23
Updated 2016-05-23
Reference 93349, PAN-SA-2016-0007
Discovered externally

Description

The Palo Alto Networks User-ID agent for Windows implements an API to retrieve the agent’s configuration. This TLS-secured API call returns encrypted credentials to the domain account configured on the User-ID agent, which has read-only rights for Security Event Logs on Domain Controllers. Anyone with access to the User-ID agent Service TCP port can retrieve this encrypted password by invoking this API. (Ref #93349)

Only users who possess network level access to the User-ID agent Service TCP port can invoke this API.

This issue affects Windows devices running all versions of User-ID agent up to 7.0.3

Product Status

VersionsAffectedUnaffected
User-ID Agent 7.0<= 7.0.3>= 7.0.4 on Windows

Severity: MEDIUM

CVSSv3.1 Base Score: 5.3 (CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:N/A:N)

Solution

User-ID agent 7.0.4 and later releases

Workarounds and Mitigations

Only users on the network can access the User-ID agent Service TCP port and make this API call. Palo Alto Networks recommends that the host running the User-ID agent and the Domain Controllers share the same network-level access restrictions. The User-ID agent should be able to reach only the Domain Controllers and only accessible by Palo Alto Networks firewalls to prevent direct access by malevolent entities.

Acknowledgments

Palo Alto Networks thanks Felix Wilhelm , ERNW Research for discovering and reporting the issue.
Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure PolicyReport vulnerabilitiesManage subscriptions
© 2024 Palo Alto Networks, Inc. All rights reserved.