Palo Alto has released a patch for a buffer overflow remote code execution (RCE) vulnerability for their PAN-OS 8.1, 9.0, and 9.1 versions. The vulnerability can allow threat actors to bypass Multi-Factor Authentication (MFA) and execute potentially malicious code with root user authority. SKOUT recommends updating the affected products with the latest patch for the vulnerability.
Technical detail and additional information
What is the threat?
This RCE vulnerability is present in the Palo Alto PAN-OS versions earlier than 9.1.3, 9.0.9, 8.1.15, and all 8.0.*. Palo Alto’s PAN-OS is the software that runs all Palo Alto Next-Generation firewalls. The vulnerability itself is caused by a buffer overflow in the software that is due to the software not regulating the size of an input it copies to an output. By sending a specially crafted packet to the vulnerable Palo Alto device, a remote attacker would be able to bypass the MFA process and execute remote code within the device. It is important to note that devices that have either MFA or Captive Portal enabled and configured as per the Palo Also document linked as the second resource below.
Why is this noteworthy?
This vulnerability exists in four different PAN-OS versions (<9.1.3, <9.09, <8.1.15, <8.0.*) and is rated a CVSS score of 9.8 out of 10. The vulnerability is credited to have a low attack complexity and requires no user privileges to execute. If a malicious actor were to exploit the vulnerability, the actor would have full control of the device including being able to manage and disable firewalls. While this vulnerability is widespread through various versions of the software, PAN-OS versions greater than 10.0.0 are not affected.
What is the exposure or risk?
Palo Alto is considered one of the two top market forces within network security devices, meaning their devices are extremely common to find within a business infrastructure or home. It is important to reiterate that the vulnerability is not contained to a single device, the vulnerability affects any Palo Alto device which is utilizing unpatched PAN-OS software. In mitigation, Palo Alto has stated that this vulnerability was discovered internally and has not been seen exploited in the wild and there is no current vulnerability for lateral movement.
What are the recommendations?
SKOUT recommends patching any Palo Alto firewalls running the PAN-OS software. Please see the chart below to determine if your devices are vulnerable. It is important to note that Palo Alto has ceased servicing PAN-OS 7.1.* and 8.0.* due to end-of-life meaning there is no patch for those versions.
|PAN-OS 10.0||NONE||>=1 0.0.0|
|PAN-OS 9.1||< 9.1.3||> 9.1.3|
|PAN-OS 9.0||< 9.0.9||>= 9.0.9|
|PAN-OS 8.1||< 8.1.15||>= 8.1.15|
For more in-depth information about the recommendations, please visit the following links:
If you have any questions, please contact our Security Operations Center.