Palo Alto Networks Security Advisories / CVE-2017-8390

CVE-2017-8390 Vulnerability in the PAN-OS DNS Proxy


047910
Severity 9.8 · CRITICAL
Attack Vector NETWORK
Scope UNCHANGED
Attack Complexity LOW
Confidentiality Impact HIGH
Privileges Required NONE
Integrity Impact HIGH
User Interaction NONE
Availability Impact HIGH
NVD JSON
Published 2017-07-20
Updated
Reference PAN-77516 PAN-SA-2017-0021

Description

A Remote Code Execution vulnerability exists in the PAN-OS DNS Proxy. This issue affects customers who have DNS Proxy enabled in PAN-OS. This issue affects both the Data and Management planes of the firewall. When DNS Proxy processes a specially crafted fully qualified domain names (FQDN), it is possible to execute code on the firewall. (ref # PAN-77516 / CVE-2017-8390).

Successful exploitation of this issue could allow an attacker to execute code on the firewall.

This issue affects PAN-OS 6.1.17 and earlier, PAN-OS 7.0.15 and earlier, PAN-OS 7.1.9 and earlier, PAN-OS 8.0.2 and earlier

Product Status

VersionsAffectedUnaffected
PAN-OS 8.0<= 8.0.2>= 8.0.3
PAN-OS 7.1<= 7.1.9>= 7.1.10
PAN-OS 7.0<= 7.0.15>= 7.0.16
PAN-OS 6.1<= 6.1.17>= 6.1.18

Severity: CRITICAL

CVSSv3.0 Base Score: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Weakness Type

CWE-20 Improper Input Validation

Solution

PAN-OS 6.1.18 and later, PAN-OS 7.0.16 and later, PAN-OS 7.1.10 and later, PAN-OS 8.0.3 and later

Workarounds and Mitigations

Palo Alto Networks recommends disabling DNS Proxy for those customers who are affected and are unable to apply the update.

Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure PolicyReport vulnerabilitiesManage subscriptions
© 2024 Palo Alto Networks, Inc. All rights reserved.