Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2022.5090 CVE-2022-0030 PAN-OS: Authentication Bypass in Web Interface 13 October 2022 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: PAN-OS Publisher: Palo Alto Operating System: UNIX variants (UNIX, Linux, OSX) Windows Resolution: Patch/Upgrade CVE Names: CVE-2022-0030 Original Bulletin: https://securityadvisories.paloaltonetworks.com/CVE-2022-0030 Comment: CVSS (Max): 8.1 CVE-2022-0030 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) CVSS Source: Palo Alto Networks Calculator: https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H - --------------------------BEGIN INCLUDED TEXT-------------------- Palo Alto Networks Security Advisories / CVE-2022-0030 CVE-2022-0030 PAN-OS: Authentication Bypass in Web Interface 047910 Severity 8.1 . HIGH Attack Vector NETWORK Scope UNCHANGED Attack Complexity HIGH Confidentiality Impact HIGH Privileges Required NONE Integrity Impact HIGH User Interaction NONE Availability Impact HIGH NVD JSON Published 2022-10-12 Updated 2022-10-12 Reference PAN-195571 Discovered externally Description An authentication bypass vulnerability in the Palo Alto Networks PAN-OS 8.1 web interface allows a network-based attacker with specific knowledge of the target firewall or Panorama appliance to impersonate an existing PAN-OS administrator and perform privileged actions. Product Status Versions Affected Unaffected Cloud NGFW None All PAN-OS 10.2 None All PAN-OS 10.1 None All PAN-OS 10.0 None All PAN-OS 9.1 None All PAN-OS 9.0 None All PAN-OS 8.1 < 8.1.24 >= 8.1.24 Prisma Access None All Severity:HIGH CVSSv3.1 Base Score:8.1 (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) Exploitation Status Palo Alto Networks is not aware of any malicious exploitation of this issue. Weakness Type CWE-290 Authentication Bypass by Spoofing Solution This issue is fixed in PAN-OS 8.1.24 and all later PAN-OS versions. Please note that PAN-OS 8.1 has reached its software end-of-life (EoL) and is supported only on PA-200, PA-500, and PA-5000 Series firewalls and on M-100 appliances and only until each of their respective hardware EoL dates: https:// www.paloaltonetworks.com/services/support/end-of-life-announcements/ hardware-end-of-life-dates.html. Workarounds and Mitigations Customers with a Threat Prevention subscription can block known attacks for this vulnerability by enabling Threat ID 92720 (Applications and Threats content update 8630-7638). To exploit this issue, the attacker must have network access to the PAN-OS web interface. You can mitigate the impact of this issue by following best practices for securing the PAN-OS web interface. Please review the Best Practices for Securing Administrative Access in the PAN-OS technical documentation at https://docs.paloaltonetworks.com/best-practices/10-1/ administrative-access-best-practices/administrative-access-best-practices/ deploy-administrative-access-best-practices. Acknowledgments Palo Alto Networks thanks the security researcher that discovered and reported this issue. Timeline 2022-10-12 Initial publication Terms of usePrivacyProduct Security Assurance and Vulnerability Disclosure Policy Report vulnerabilitiesManage subscriptions (C) 2022 Palo Alto Networks, Inc. All rights reserved. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: https://auscert.org.au/gpg-key/ iQIVAwUBY0eH9ckNZI30y1K9AQhcaxAAloiDoivCTntgym+yhLK3bVcp5xY2W/O9 UO2K+nrM0DOfn3E4EICNaCVC8ZrnRTZE3g1W8nB0Jse08+0SL3INsdDM/PHTwrq6 zRBisssLuEIXGmlNFSFwHroYSiqwDJ9R6xlLZJP6BvKD8B1C4cWdUq+rfTjUChbb Y4Fb+46i8m7BCU/eSEh5fuKIZaOzuk2ustFsQfe7rGtPM6NAkqRIIGSLeFFuDk+D RyEuAU5IQ0nhUApEKJxDbwfzK9uqe0N/oTHkL80cABLOnmg/5DfgNjBONQ0qFjCm 8w4EhQm+XSb+kv0dBR0Uvm+i2TUD+Vp5yzS6Pj5ub9Z0OX3z2Yy/gOTX1o63pmCD PXZ24Gd+Y8wKJ7rh0Juzaks0OcHetfFDSQlz/VoF2cDx9FtfG8GMcMzg162ikgHm Ble7pthGODbWGrerQJax0NTiLfecOEOyscgeMzP4qL8uuRrCeVfvBRlrj0gHeIad 3fezlOjGLnE9/8yo4dJt233Pj0ssRCVPPBYNSCv1Mt+W+x0sd6t8Yum/kMtBr5lv hl7AGVjg07J+0jjYMv1naquwyakugfG3D/ylvbtLbpWqHTQC0gA3KW9yRbmrnfDN JKL/Kuv+DXZsHkgUGNH2dCBTLIiKFaQWzvqa+9I72wlBOrGiYLgD+IlC0wUcpKmw XGVhv0PAwWg= =mRzl -----END PGP SIGNATURE-----