Aperçu
A critical remote code execution vulnerability exists in Palo Alto Networks PAN-OS and Panorama management interface. Attackers with network access to the management interface can execute arbitrary code with system privileges, potentially compromising the entire firewall infrastructure. La vulnérabilité a été divulguée le December 11, 2017. CISA a identifié CVE-2017-15944 comme étant exploitée mais n'est pas actuellement connue pour être utilisée dans des campagnes de rançongiciel.
Détails techniques
Palo Alto Networks PAN-OS and Panorama contain a remote code execution vulnerability in the management interface. The vulnerability allows unauthenticated remote attackers with network access to the management interface to execute arbitrary code with administrative privileges on the affected system. The vulnerability is caused by improper input validation and command injection in the management interface handling. Multiple attack vectors have been identified that allow bypassing authentication and injecting malicious commands.
La vulnérabilité est classifiée comme CWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')) etCWE-20 (Improper Input Validation) .
La vulnérabilité a reçu un score de base CVSS v3.1 de 9.8 (CRITICAL) avec la chaîne vectorielle CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indiquant sa nature critical.
Impact
Successful exploitation allows remote attackers to execute arbitrary code with administrative privileges on the firewall or Panorama system. This could result in complete compromise of the security appliance, allowing attackers to: view/modify firewall configurations and security policies, decrypt traffic flowing through the device, pivot to protected internal networks, establish persistent backdoors, extract sensitive data and encryption keys, or disable security controls entirely. Given that firewalls are critical infrastructure, this vulnerability poses severe risk to organizational security posture.
Mitigation et contournements
Upgrade PAN-OS and Panorama to the fixed versions. For systems unable to upgrade immediately, apply the recommended workarounds. Palo Alto Networks has released patches for all supported versions. Les versions suivantes incluent les correctifs nécessaires : 6.1.19 and later, 7.0.19 and later, 7.1.14 and later, 8.0.6 and later.
Comme contournements temporaires : restrict network access to the management interface by implementing firewall rules to limit access to trusted ip addresses/networks only. configure management interface access controls to deny access from untrusted sources.; implement network segmentation to isolate the management interface on a separate trusted management network, restricting access to authorized personnel and secure networks only.; disable the management interface if not required, or restrict it to localhost-only access when possible., et use a vpn or bastion host for remote access to the management interface instead of exposing it directly to the internet..
Recommandation de CISA : Apply updates per vendor instructions.
Ressources additionnelles
Source : Ce rapport a été généré par IA
