Overview
A critical remote code execution vulnerability exists in Palo Alto Networks PAN-OS and Panorama management interface. Attackers with network access to the management interface can execute arbitrary code with system privileges, potentially compromising the entire firewall infrastructure. The vulnerability was disclosed on December 11, 2017. CISA has identified CVE-2017-15944 as being exploited but is not currently known to be used in ransomware campaigns.
Technical details
Palo Alto Networks PAN-OS and Panorama contain a remote code execution vulnerability in the management interface. The vulnerability allows unauthenticated remote attackers with network access to the management interface to execute arbitrary code with administrative privileges on the affected system. The vulnerability is caused by improper input validation and command injection in the management interface handling. Multiple attack vectors have been identified that allow bypassing authentication and injecting malicious commands.
The vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')) andCWE-20 (Improper Input Validation) .
The vulnerability has received a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating its critical nature.
Impact
Successful exploitation allows remote attackers to execute arbitrary code with administrative privileges on the firewall or Panorama system. This could result in complete compromise of the security appliance, allowing attackers to: view/modify firewall configurations and security policies, decrypt traffic flowing through the device, pivot to protected internal networks, establish persistent backdoors, extract sensitive data and encryption keys, or disable security controls entirely. Given that firewalls are critical infrastructure, this vulnerability poses severe risk to organizational security posture.
Mitigation and workarounds
Upgrade PAN-OS and Panorama to the fixed versions. For systems unable to upgrade immediately, apply the recommended workarounds. Palo Alto Networks has released patches for all supported versions. The following versions include the necessary fixes: 6.1.19 and later, 7.0.19 and later, 7.1.14 and later, 8.0.6 and later.
As temporary workarounds: restrict network access to the management interface by implementing firewall rules to limit access to trusted ip addresses/networks only. configure management interface access controls to deny access from untrusted sources.; implement network segmentation to isolate the management interface on a separate trusted management network, restricting access to authorized personnel and secure networks only.; disable the management interface if not required, or restrict it to localhost-only access when possible., and use a vpn or bastion host for remote access to the management interface instead of exposing it directly to the internet..
CISA's recommendation: Apply updates per vendor instructions.
Additional resources
Source: This report was generated using AI
