cbcvebase.
CVE-2016-9150
published 2016-11-19

CVE-2016-9150: Buffer overflow in the management web interface in Palo Alto Networks PAN-OS before 5.0.20, 5.1.x before 5.1.13, 6.0.x before 6.0.15, 6.1.x before 6.1.15…

PriorityP274critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
34.78%
98.2th percentile
Buffer overflow in the management web interface in Palo Alto Networks PAN-OS before 5.0.20, 5.1.x before 5.1.13, 6.0.x before 6.0.15, 6.1.x before 6.1.15, 7.0.x before 7.0.11, and 7.1.x before 7.1.6 allows remote attackers to execute arbitrary code via unspecified vectors.

Affected

7 ranges
VendorProductVersion rangeFixed in
paloaltopan-os
paloaltonetworkspan-os>= 5.0.0 < 5.0.205.0.20
paloaltonetworkspan-os>= 5.1 < 5.1.135.1.13
paloaltonetworkspan-os>= 6.0.0 < 6.0.156.0.15
paloaltonetworkspan-os>= 6.1.0 < 6.1.156.1.15
paloaltonetworkspan-os>= 7.0.0 < 7.0.117.0.11
paloaltonetworkspan-os>= 7.1.0 < 7.1.67.1.6

Detection & IOCsextracted from sources · hover to see the quote

path/unauth/php/errorPage.php
url/unauth/php/errorPage.php?code=1e16
process/usr/local/bin/appweb3
  • Monitor HTTP requests to the unauthenticated endpoint /unauth/php/errorPage.php with a 'code' parameter containing floating-point/scientific notation values (e.g., 1e16) which trigger the mprItoa() buffer overflow in appweb3.
  • Alert on heap corruption or double-free crash signals from the appweb3 process (/usr/local/bin/appweb3 or libappweb3.so.1), which indicate exploitation attempts against the management web interface.
  • The vulnerability is exploitable without authentication; restrict management web interface access to dedicated management networks and limit source IPs to authorized hosts to reduce attack surface.
  • ·The vulnerable endpoint /unauth/php/errorPage.php is accessible without authentication on default PAN-OS installations, meaning no credentials are required to trigger the overflow.
  • ·PAN-OS ships with an EOL (end-of-life since 2012) version of the appweb3 embedded web server, meaning the underlying vulnerable component (mprItoa in libappweb3.so.1) receives no upstream security updates; patching PAN-OS itself is the only remediation path.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.