PT-2016-5641 · Palo Alto Networks · Pan-Os
Felix Wilhelm
·
Published
2016-02-24
·
Updated
2020-02-17
·
CVE-2016-3655
CVSS v2.0
10
Critical
| Vector | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
Palo Alto Networks PAN-OS versions 5.0.17 and prior
Palo Alto Networks PAN-OS versions 6.0.12 and prior
Palo Alto Networks PAN-OS versions 6.1.9 and prior
Palo Alto Networks PAN-OS versions 7.0.4 and prior
Description
The management web interface in Palo Alto Networks PAN-OS has an issue where the management API incorrectly parses input to a specific API call, leading to execution of arbitrary OS commands without authentication via the management interface. This issue can be exploited remotely by an unauthenticated user with network access to the device management web-based API.
Recommendations
For versions 5.0.17 and prior, update to version 5.0.18 or later.
For versions 6.0.12 and prior, update to version 6.0.13 or later.
For versions 6.1.9 and prior, update to version 6.1.10 or later.
For versions 7.0.4 and prior, update to version 7.0.5 or later.
Fix
RCE
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Pan-Os