CVE-2016-3655
published 2016-04-12CVE-2016-3655: The management web interface in Palo Alto Networks PAN-OS before 5.0.18, 6.0.x before 6.0.13, 6.1.x before 6.1.10, and 7.0.x before 7.0.5 allows remote…
PriorityP264critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
3.20%
86.5th percentile
The management web interface in Palo Alto Networks PAN-OS before 5.0.18, 6.0.x before 6.0.13, 6.1.x before 6.1.10, and 7.0.x before 7.0.5 allows remote attackers to execute arbitrary OS commands via an unspecified API call.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| paloalto | pan-os | — | — |
| paloaltonetworks | pan-os | >= 5.0.0 < 5.0.18 | 5.0.18 |
| paloaltonetworks | pan-os | >= 5.1 < 5.1.11 | 5.1.11 |
| paloaltonetworks | pan-os | >= 6.0.0 < 6.0.13 | 6.0.13 |
| paloaltonetworks | pan-os | >= 6.1.0 < 6.1.10 | 6.1.10 |
| paloaltonetworks | pan-os | 7.0.0 – 7.0.5 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →An IPS signature (#38904) is available in Emergency content update 563 to detect/block exploitation attempts against the vulnerable management web API endpoint. ↗
- →The vulnerability is exploitable by an unauthenticated remote user via the management web-based API — monitor for unexpected or anomalous API calls to the PAN-OS management interface from untrusted sources. ↗
- →The root cause is incorrect input parsing on a specific management API call leading to OS command execution — focus detection on management API traffic, especially malformed or unexpected input to API endpoints. ↗
- ·IPS signature #38904 must be applied to a firewall rule specifically securing traffic destined for the device management web interface, AND decryption must also be applied for the signature to be effective. ↗
- ·Network access to management interfaces should be isolated and restricted as a defence-in-depth measure; this reduces exploitability even before patching. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4chq-8rg2-9c6v: The management web interface in Palo Alto Networks PAN-OS before 5
ghsa_unreviewed·2022-05-13
CVE-2016-3655 [CRITICAL] CWE-20 GHSA-4chq-8rg2-9c6v: The management web interface in Palo Alto Networks PAN-OS before 5
The management web interface in Palo Alto Networks PAN-OS before 5.0.18, 6.0.x before 6.0.13, 6.1.x before 6.1.10, and 7.0.x before 7.0.5 allows remote attackers to execute arbitrary OS commands via an unspecified API call.
Palo Alto
Unauthenticated Command Injection in Management Web Interface
vendor_paloalto·2016-02-24·CVSS 9.8
CVE-2016-3655 [CRITICAL] CWE-20 Unauthenticated Command Injection in Management Web Interface
Unauthenticated Command Injection in Management Web Interface
Palo Alto Networks PAN-OS implements an API to enable programmatic device configuration and administration of the device. An issue was identified where the management API incorrectly parses input to a specific API call, leading to execution of arbitrary OS commands without authentication via the management interface. (Ref. #89717) (CVE-2016-3655)
This issue can be exploited remotely by an unauthenticated user with network access to the device management web-based API
This issue affects PAN-OS releases 5.0.17 and prior; 6.0.12 and prior; 6.1.9 and prior; 7.0.4 and prior
Affected products: PAN-OS
Solution: PAN-OS releases 5.0.18 and newer; 6.0.13 and newer; 6.1.10 and newer; 7.0.5 and newer
Workaround: Emergency content update
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2016-04-12
Published