Paloalto PAN-OS vulnerabilities

CVE-2024-5911 [HIGH] CWE-434 PAN-OS: File Upload Vulnerability in the Panorama Web Interface PAN-OS: File Upload Vulnerability in the Panorama Web Interface An arbitrary file upload vulnerability in Palo Alto Networks Panorama software enables an authenticated read-write administrator with access to the web interface to disrupt system processes and crash the Panorama. Repeated attacks eventually cause the Panorama to enter maintenance mode, which requires manual intervention to bring the Panora

CVE-2024-5913 [MEDIUM] CWE-20 PAN-OS: Improper Input Validation Vulnerability in PAN-OS PAN-OS: Improper Input Validation Vulnerability in PAN-OS An improper input validation vulnerability in Palo Alto Networks PAN-OS software enables an attacker with the ability to tamper with the physical file system to elevate privileges. Affected products: Cloud NGFW, PAN-OS, Prisma Access Solution: This issue is fixed in PAN-OS 10.1.14-h2, PAN-OS 10.2.10, PAN-OS 11.0.5, PAN-OS 11.1.4, PAN-OS 11.2.1, and

CVE-2024-6387 [HIGH] CWE-364 Informational Bulletin: Impact of OpenSSH regreSSHion Vulnerability Informational Bulletin: Impact of OpenSSH regreSSHion Vulnerability The Palo Alto Networks Product Security Assurance team has evaluated CVE-2024-6387, known as "regreSSHion", as it relates to our products. The SSH features in PAN-OS are not affected by CVE-2024-6387. At present, no other Palo Alto Networks products are known to contain the vulnerable software packages and be impacted by these iss

CVE-2024-3661 [HIGH] CWE-306 Impact of TunnelVision Vulnerability Impact of TunnelVision Vulnerability The Palo Alto Networks Product Security Assurance team has evaluated the TunnelVision vulnerability as it relates to our products. This issue allows an attacker with the ability to send DHCP messages on the same local area network, such as a rogue Wi-Fi network, to leak traffic outside of the GlobalProtect tunnel, allowing the attacker to read, disrupt, or possibly modify network traffic that

CVE-2024-3400 [CRITICAL] CWE-20 PAN-OS: Arbitrary File Creation Leads to OS Command Injection Vulnerability in GlobalProtect PAN-OS: Arbitrary File Creation Leads to OS Command Injection Vulnerability in GlobalProtect A command injection as a result of arbitrary file creation vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root p

CVE-2024-3383 [CRITICAL] CWE-282 PAN-OS: Improper Group Membership Change Vulnerability in Cloud Identity Engine (CIE) PAN-OS: Improper Group Membership Change Vulnerability in Cloud Identity Engine (CIE) A vulnerability in how Palo Alto Networks PAN-OS software processes data received from Cloud Identity Engine (CIE) agents enables modification of User-ID groups. This impacts user access to network resources where users may be inappropriately denied or allowed access to resources based on your

CVE-2015-5739 [CRITICAL] PAN-SA-2024-0004 Informational Bulletin: OSS CVEs fixed in PAN-OS PAN-SA-2024-0004 Informational Bulletin: OSS CVEs fixed in PAN-OS The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS. While it was not determined that these CVEs have any significant impact on PAN-OS, they have been fixed out of an abundance of caution. CVE Summary CVE-2015-5739 This CVE is fixed in PAN-OS 11.0.4, and

CVE-2024-3382 [HIGH] CWE-770 PAN-OS: Firewall Denial of Service (DoS) via a Burst of Crafted Packets PAN-OS: Firewall Denial of Service (DoS) via a Burst of Crafted Packets A memory leak exists in Palo Alto Networks PAN-OS software that enables an attacker to send a burst of crafted packets through the firewall that eventually prevents the firewall from processing traffic. This issue applies only to PA-5400 Series devices that are running PAN-OS software with the SSL Forward Proxy feature enabl

CVE-2024-3385 [HIGH] CWE-20 PAN-OS: Firewall Denial of Service (DoS) when GTP Security is Disabled PAN-OS: Firewall Denial of Service (DoS) when GTP Security is Disabled A packet processing mechanism in Palo Alto Networks PAN-OS software enables a remote attacker to reboot hardware-based firewalls. Repeated attacks eventually cause the firewall to enter maintenance mode, which requires manual intervention to bring the firewall back online. This affects the following hardware firewall models: -

CVE-2024-3384 [HIGH] CWE-1286 PAN-OS: Firewall Denial of Service (DoS) via Malformed NTLM Packets PAN-OS: Firewall Denial of Service (DoS) via Malformed NTLM Packets A vulnerability in Palo Alto Networks PAN-OS software enables a remote attacker to reboot PAN-OS firewalls when receiving Windows New Technology LAN Manager (NTLM) packets from Windows servers. Repeated attacks eventually cause the firewall to enter maintenance mode, which requires manual intervention to bring the firewall back onl

CVE-2024-3387 [MEDIUM] CWE-326 PAN-OS: Weak Certificate Strength in Panorama Software Leads to Sensitive Information Disclosure PAN-OS: Weak Certificate Strength in Panorama Software Leads to Sensitive Information Disclosure A weak (low bit strength) device certificate in Palo Alto Networks Panorama software enables an attacker to perform a meddler-in-the-middle (MitM) attack to capture encrypted traffic between the Panorama management server and the firewalls it manages. With sufficient comput

CVE-2024-3388 [MEDIUM] CWE-269 PAN-OS: User Impersonation in GlobalProtect SSL VPN PAN-OS: User Impersonation in GlobalProtect SSL VPN A vulnerability in the GlobalProtect Gateway in Palo Alto Networks PAN-OS software enables an authenticated attacker to impersonate another user and send network packets to internal assets. However, this vulnerability does not allow the attacker to receive response packets from those internal assets. Affected products: Cloud NGFW, PAN-OS, Prisma Access Solutio

CVE-2024-3386 [MEDIUM] CWE-436 PAN-OS: Predefined Decryption Exclusions Does Not Work as Intended PAN-OS: Predefined Decryption Exclusions Does Not Work as Intended An incorrect string comparison vulnerability in Palo Alto Networks PAN-OS software prevents Predefined Decryption Exclusions from functioning as intended. This can cause traffic destined for domains that are not specified in Predefined Decryption Exclusions to be unintentionally excluded from decryption. Affected products: Cloud NG

CVE-2024-3094 [CRITICAL] CWE-506 Informational: Impact of Malicious Code in XZ Tools and Libraries (CVE-2024-3094) Informational: Impact of Malicious Code in XZ Tools and Libraries (CVE-2024-3094) The Palo Alto Networks Product Security Assurance team has evaluated the supply chain compromise impacting versions 5.6.0 and 5.6.1 of XZ tools and libraries. These versions of the software may allow unauthorized access to affected systems. Based on the information presently known, Palo Alto Networks

CVE-2024-2433 [LOW] CWE-269 PAN-OS: Improper Privilege Management Vulnerability in Panorama Software Leads to Availability Loss PAN-OS: Improper Privilege Management Vulnerability in Panorama Software Leads to Availability Loss An improper authorization vulnerability in Palo Alto Networks Panorama software enables an authenticated read-only administrator to upload files using the web interface and completely fill one of the disk partitions with those uploaded files, which prevents the ability t

CVE-2024-0011 [MEDIUM] CWE-79 PAN-OS: Reflected Cross-Site Scripting (XSS) Vulnerability in Captive Portal Authentication PAN-OS: Reflected Cross-Site Scripting (XSS) Vulnerability in Captive Portal Authentication A reflected cross-site scripting (XSS) vulnerability in the Captive Portal feature of Palo Alto Networks PAN-OS software enables execution of malicious JavaScript in the context of an authenticated Captive Portal user’s browser if that user clicks on a malicious link, allowing phishin

CVE-2017-18342 [CRITICAL] PAN-SA-2024-0001 Informational Bulletin: Impact of OSS CVEs in PAN-OS PAN-SA-2024-0001 Informational Bulletin: Impact of OSS CVEs in PAN-OS The Palo Alto Networks Product Security Assurance team has evaluated the following open source software (OSS) CVEs as they relate to PAN-OS software. While PAN-OS software may include the CVEs: CVE-2017-18342, CVE-2017-8923, CVE-2017-9120, CVE-2019-1551, CVE-2019-16865, CVE-2019-16905, CVE-2019-19523, CVE-2019-19528, CVE-2019-1991

CVE-2024-0008 [HIGH] CWE-613 PAN-OS: Insufficient Session Expiration Vulnerability in the Web Interface PAN-OS: Insufficient Session Expiration Vulnerability in the Web Interface Web sessions in the management interface in Palo Alto Networks PAN-OS software do not expire in certain situations, making it susceptible to unauthorized access. Affected products: Cloud NGFW, PAN-OS, Prisma Access Solution: This issue is fixed in PAN-OS 9.0.17-h2, PAN-OS 9.1.17, PAN-OS 10.0.12-h1, PAN-OS 10.1.10-h1,

CVE-2024-0009 [MEDIUM] CWE-940 PAN-OS: Improper IP Address Verification in GlobalProtect Gateway PAN-OS: Improper IP Address Verification in GlobalProtect Gateway An improper verification vulnerability in the GlobalProtect gateway feature of Palo Alto Networks PAN-OS software enables a malicious user with stolen credentials to establish a VPN connection from an unauthorized IP address. Affected products: Cloud NGFW, PAN-OS, Prisma Access Solution: This issue is fixed in PAN-OS 10.2.4, PAN-OS

CVE-2024-0007 [MEDIUM] CWE-79 PAN-OS: Stored Cross-Site Scripting (XSS) Vulnerability in the Panorama Web Interface PAN-OS: Stored Cross-Site Scripting (XSS) Vulnerability in the Panorama Web Interface A cross-site scripting (XSS) vulnerability in Palo Alto Networks PAN-OS software enables a malicious authenticated read-write administrator to store a JavaScript payload using the web interface on Panorama appliances. This enables the impersonation of another authenticated administrator. Affecte