PAN-SA-2016-0008 PAN-OS API denial of service
Description
Palo Alto Networks firewalls offer an API to query and modify the configuration of the device. While access to this API is protected by the use of an API key, an issue was recently identified leading to a potential unauthenticated denial of service attack. (Ref #91728)
The API is hosted on a dedicated management interface and, while this issue can result in a DoS attack of the API, it doesn’t compromise the security functionality of the device.
This issue affects PAN-OS 7.0.1 to PAN-OS 7.0.7
Product Status
Versions | Affected | Unaffected |
---|---|---|
PAN-OS 7.0 | >= 7.0.1, <= 7.0.7 | >= 7.0.8 |
Severity: MEDIUM
CVSSv3.1 Base Score: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Weakness Type
Solution
PAN-OS 7.0.8 and later
Workarounds and Mitigations
Exploitation of this issue is only available to personnel with access to the management interface on the device. Palo Alto Networks recommends the following best practice implementation: deploy the management interface on an out-of-band network and separate from inline traffic processing.