Operating System:

[WIN][UNIX/Linux]

Published:

13 October 2022

Protect yourself against future threats.

//Service

Phishing Take-Down

Drawing on our strong international CERT relationships we have a high success rate in delivering phishing take-downs.

Read more
Resources > Security Bulletins > ESB-2022.5090 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2022.5090
       CVE-2022-0030 PAN-OS: Authentication Bypass in Web Interface
                              13 October 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           PAN-OS
Publisher:         Palo Alto
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-0030  

Original Bulletin: 
   https://securityadvisories.paloaltonetworks.com/CVE-2022-0030

Comment: CVSS (Max):  8.1 CVE-2022-0030 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)
         CVSS Source: Palo Alto Networks
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

- --------------------------BEGIN INCLUDED TEXT--------------------

Palo Alto Networks Security Advisories / CVE-2022-0030

CVE-2022-0030 PAN-OS: Authentication Bypass in Web Interface

047910
Severity 8.1 . HIGH
Attack Vector NETWORK
Scope UNCHANGED
Attack Complexity HIGH
Confidentiality Impact HIGH
Privileges Required NONE
Integrity Impact HIGH
User Interaction NONE
Availability Impact HIGH
NVD JSON     
Published 2022-10-12
Updated 2022-10-12
Reference PAN-195571
Discovered externally

Description

An authentication bypass vulnerability in the Palo Alto Networks PAN-OS 8.1 web
interface allows a network-based attacker with specific knowledge of the target
firewall or Panorama appliance to impersonate an existing PAN-OS administrator
and perform privileged actions.

Product Status

  Versions    Affected Unaffected
Cloud NGFW    None     All
PAN-OS 10.2   None     All
PAN-OS 10.1   None     All
PAN-OS 10.0   None     All
PAN-OS 9.1    None     All
PAN-OS 9.0    None     All
PAN-OS 8.1    < 8.1.24 >= 8.1.24
Prisma Access None     All

Severity:HIGH

CVSSv3.1 Base Score:8.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H)

Exploitation Status

Palo Alto Networks is not aware of any malicious exploitation of this issue.

Weakness Type

CWE-290 Authentication Bypass by Spoofing

Solution

This issue is fixed in PAN-OS 8.1.24 and all later PAN-OS versions.

Please note that PAN-OS 8.1 has reached its software end-of-life (EoL) and is
supported only on PA-200, PA-500, and PA-5000 Series firewalls and on M-100
appliances and only until each of their respective hardware EoL dates: https://
www.paloaltonetworks.com/services/support/end-of-life-announcements/
hardware-end-of-life-dates.html.

Workarounds and Mitigations

Customers with a Threat Prevention subscription can block known attacks for
this vulnerability by enabling Threat ID 92720 (Applications and Threats
content update 8630-7638).

To exploit this issue, the attacker must have network access to the PAN-OS web
interface. You can mitigate the impact of this issue by following best
practices for securing the PAN-OS web interface. Please review the Best
Practices for Securing Administrative Access in the PAN-OS technical
documentation at https://docs.paloaltonetworks.com/best-practices/10-1/
administrative-access-best-practices/administrative-access-best-practices/
deploy-administrative-access-best-practices.

Acknowledgments

Palo Alto Networks thanks the security researcher that discovered and reported
this issue.

Timeline

2022-10-12 Initial publication
Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure
Policy Report vulnerabilitiesManage subscriptions
(C) 2022 Palo Alto Networks, Inc. All rights reserved.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBY0eH9ckNZI30y1K9AQhcaxAAloiDoivCTntgym+yhLK3bVcp5xY2W/O9
UO2K+nrM0DOfn3E4EICNaCVC8ZrnRTZE3g1W8nB0Jse08+0SL3INsdDM/PHTwrq6
zRBisssLuEIXGmlNFSFwHroYSiqwDJ9R6xlLZJP6BvKD8B1C4cWdUq+rfTjUChbb
Y4Fb+46i8m7BCU/eSEh5fuKIZaOzuk2ustFsQfe7rGtPM6NAkqRIIGSLeFFuDk+D
RyEuAU5IQ0nhUApEKJxDbwfzK9uqe0N/oTHkL80cABLOnmg/5DfgNjBONQ0qFjCm
8w4EhQm+XSb+kv0dBR0Uvm+i2TUD+Vp5yzS6Pj5ub9Z0OX3z2Yy/gOTX1o63pmCD
PXZ24Gd+Y8wKJ7rh0Juzaks0OcHetfFDSQlz/VoF2cDx9FtfG8GMcMzg162ikgHm
Ble7pthGODbWGrerQJax0NTiLfecOEOyscgeMzP4qL8uuRrCeVfvBRlrj0gHeIad
3fezlOjGLnE9/8yo4dJt233Pj0ssRCVPPBYNSCv1Mt+W+x0sd6t8Yum/kMtBr5lv
hl7AGVjg07J+0jjYMv1naquwyakugfG3D/ylvbtLbpWqHTQC0gA3KW9yRbmrnfDN
JKL/Kuv+DXZsHkgUGNH2dCBTLIiKFaQWzvqa+9I72wlBOrGiYLgD+IlC0wUcpKmw
XGVhv0PAwWg=
=mRzl
-----END PGP SIGNATURE-----