CVE-2024-3387 — Inadequate Encryption Strength in Palo Alto Networks Pan-os

CWE-326 — Inadequate Encryption Strength4 documents4 sources

Severity

5.9MEDIUMNVD

CNA5.3

EPSS

0.1%

top 70.94%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Palo Alto Networks Pan-os Paloaltonetworks Pan-os Paloalto Cloud Ngfw +2 more

Timeline

PublishedApr 10

Description

A weak (low bit strength) device certificate in Palo Alto Networks Panorama software enables an attacker to perform a meddler-in-the-middle (MitM) attack to capture encrypted traffic between the Panorama management server and the firewalls it manages. With sufficient computing resources, the attacker could break encrypted communication and expose sensitive information that is shared between the management server and the firewalls.

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages5 packages

▶NVDpaloaltonetworks/pan-os10.1.0 — 10.1.12+3

▶CVEListV5palo_alto_networks/pan-os10.1.0 — 10.1.12+3

▶Palo Altopaloalto/pan-os

▶Palo Altopaloalto/cloud_ngfw

▶Palo Altopaloalto/prisma_access

🔴Vulnerability Details

CVEList

PAN-OS: Weak Certificate Strength in Panorama Software Leads to Sensitive Information Disclosure↗2024-04-10

▶

GHSA

GHSA-hcgv-gpgg-9mmm: A weak (low bit strength) device certificate in Palo Alto Networks Panorama software enables an attacker to perform a meddler-in-the-middle (MitM) att↗2024-04-10

▶

📋Vendor Advisories

Palo Alto

PAN-OS: Weak Certificate Strength in Panorama Software Leads to Sensitive Information Disclosure↗2024-04-10

▶