CVE-2022-0022Use of Password Hash With Insufficient Computational Effort in Palo Alto Networks Pan-os

CWE-916Use of Password Hash With Insufficient Computational EffortCWE-200Sensitive Information Exposure6 documents6 sources
Severity
4.4MEDIUMNVD
CNA4.1CISA6.5
EPSS
0.0%
top 92.48%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
4
Palo Alto Networks Pan-osPaloaltonetworks Pan-osPaloalto Pan-os+1 more
Timeline
PublishedMar 9
Latest updateAug 9

Description

Usage of a weak cryptographic algorithm in Palo Alto Networks PAN-OS software where the password hashes of administrator and local user accounts are not created with a sufficient level of computational effort, which allows for password cracking attacks on accounts in normal (non-FIPS-CC) operational mode. An attacker must have access to the account password hashes to take advantage of this weakness and can acquire those hashes if they are able to gain access to the PAN-OS software configuration.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:NExploitability: 0.8 | Impact: 3.6

Affected Packages4 packages

NVDpaloaltonetworks/pan-os8.1.08.1.21+3
CVEListV5palo_alto_networks/pan-os9.19.1.11+3
Palo Altopaloalto/pan-os

🔴Vulnerability Details

2
GHSA
GHSA-4q2w-436r-jx75: Usage of a weak cryptographic algorithm in Palo Alto Networks PAN-OS software where the password hashes of administrator and local user accounts are n2022-03-10
CVEList
PAN-OS: Use of a Weak Cryptographic Algorithm for Stored Password Hashes2022-03-09

📋Vendor Advisories

3
VMware
VMware vRealize Operations contains multiple vulnerabilities2022-08-09
CISA
Microsoft XML Core Services Information Disclosure Vulnerability2022-05-24
Palo Alto
PAN-OS: Use of a Weak Cryptographic Algorithm for Stored Password Hashes2022-03-09
CVE-2022-0022 — Palo Alto Networks Pan-os vulnerability | cvebase