PAN-OS: Panorama management server log injection

Vulnerability

A missing authorization vulnerability in the management server component of PAN-OS Panorama allows a remote unauthenticated user to inject arbitrary messages into the management server ms.log file [1]. The issue affects all versions of PAN-OS 7.1 and 8.0, PAN-OS 8.1 versions earlier than 8.1.14, and PAN-OS 9.0 versions earlier than 9.0.9 [1].

Exploitation

An attacker with network access to the Panorama management interface can exploit this vulnerability without authentication or user interaction [1]. The attack complexity is low; the remote unauthenticated user can inject crafted log entries into the ms.log file by sending specially crafted requests [1].

Impact

Successful exploitation allows the attacker to inject arbitrary messages into the management server log file. This can be leveraged to obfuscate an ongoing attack or fabricate log entries, thereby undermining the integrity of security logs [1]. The confidentiality and availability of the system are not directly affected; the impact is limited to integrity [1].

Mitigation

The vulnerability is fixed in PAN-OS 8.1.14 and PAN-OS 9.0.9 (pending release) and all later PAN-OS versions [1]. PAN-OS 8.0 is end-of-life as of October 31, 2019, and is no longer covered by product security assurance policies [1]. PAN-OS 7.1 is on extended support until June 30, 2020, and is only considered for critical security fixes [1]. As a workaround, attacks can be blocked with signatures for Unique Threat ID 58197 enabled on a different firewall configured to protect the vulnerable management interfaces [1]. Following best practices for securing the PAN-OS management interface is strongly recommended [1].