CVE-2015-6531

Vulnerability

The Panorama VM Appliance running PAN-OS versions before 6.0.1 contains a flaw in firmware installation. The system unpacks and evaluates a header dictionary using Python's eval() on data from the firmware image before verifying its cryptographic signature [1]. Specifically, code reads the image header and tries to eval the first 3584 bytes if it appears to be a dictionary [1]. This allows a crafted firmware image to execute arbitrary Python code.

Exploitation

An attacker must deliver a malicious firmware image to the appliance, either by tricking an administrator into installing it (e.g., via social engineering, phishing, or man-in-the-middle during download) or by intercepting auto-update traffic (MITM) [1]. No authentication is required if the attacker can compromise the update channel or deceive the admin.

Impact

Successful exploitation gives the attacker arbitrary Python code execution on the Panorama VM Appliance, leading to full compromise of the device, including disclosure of sensitive management data, alteration of configuration, or use as a pivot point [1].

Mitigation

Upgrade to PAN-OS version 6.0.1 or later, which fixes the signature verification order [1]. No workarounds are documented. The vulnerability is not listed in CISA KEV as of now.