Palo Alto Networks Security Advisories / PAN-SA-2016-0008

PAN-SA-2016-0008 PAN-OS API denial of service

047910
Severity 5.3 · MEDIUM
Attack Vector NETWORK
Scope UNCHANGED
Attack Complexity LOW
Confidentiality Impact NONE
Privileges Required NONE
Integrity Impact NONE
User Interaction NONE
Availability Impact LOW

Description

Palo Alto Networks firewalls offer an API to query and modify the configuration of the device. While access to this API is protected by the use of an API key, an issue was recently identified leading to a potential unauthenticated denial of service attack. (Ref #91728)

The API is hosted on a dedicated management interface and, while this issue can result in a DoS attack of the API, it doesn’t compromise the security functionality of the device.

This issue affects PAN-OS 7.0.1 to PAN-OS 7.0.7

Product Status

VersionsAffectedUnaffected
PAN-OS 7.0>= 7.0.1, <= 7.0.7>= 7.0.8

Severity: MEDIUM

CVSSv3.1 Base Score: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

Weakness Type

Solution

PAN-OS 7.0.8 and later

Workarounds and Mitigations

Exploitation of this issue is only available to personnel with access to the management interface on the device. Palo Alto Networks recommends the following best practice implementation: deploy the management interface on an out-of-band network and separate from inline traffic processing.

Acknowledgments

Tenable Network Security
© 2024 Palo Alto Networks, Inc. All rights reserved.