====================================================================

                              CERT-Renater

                 Note d'Information No. 2017/VULN405
_____________________________________________________________________

DATE                : 14/12/2017

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): PAN-OS versions prior to 6.1.19, 7.0.19, 7.1.14,
                                         8.0.6.

=====================================================================
https://securityadvisories.paloaltonetworks.com/Home/Detail/102
_____________________________________________________________________

Summary

Through the exploitation of a combination of unrelated vulnerabilities,
and via the management interface of the device, an attacker could
remotely execute code on PAN-OS in the context of the highest
privileged user. (Ref # PAN-61094 / PAN-80990 / PAN-80993 / PAN-80994 /
CVE-2017-15944)


Severity: Critical

PAN-OS contains multiple vulnerabilities that, when exploited in
conjunction could lead to remote code execution prior to authentication.


Products Affected

PAN-OS 6.1.18 and earlier, PAN-OS 7.0.18 and earlier, PAN-OS 7.1.13 and
earlier, PAN-OS 8.0.5 and earlier


Available Updates

PAN-OS 6.1.19 and later, PAN-OS 7.0.19 and later, PAN-OS 7.1.14 and
later, PAN-OS 8.0.6 and later


Workarounds and Mitigations

Palo Alto Networks has released content update 756 including
vulnerability signatures #40483 and #40484 that can be used as an
interim mitigation to protect PAN-OS devices until the device software
is upgraded. Note that signatures 40483 and 40484 must be applied to a
firewall rule securing traffic destined for the Management interface.
This issue affects the management interface of the device and is
strongly mitigated by following best practices for the isolation of
management interfaces for security appliances. We recommend that the
management interface be isolated and strictly limited only to security
administration personnel through either network segmentation or using
the IP access control list restriction feature within PAN-OS.


Acknowledgements

Palo Alto Networks would like to thank Philip Pettersson for reporting
this issue

==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================