PAN-OS: Panorama External control of file vulnerability leads to privilege escalation

Vulnerability

An external control of path and data vulnerability exists in the Palo Alto Networks PAN-OS Panorama XSLT processing logic, classified as CWE-123 write-what-where condition [1]. This issue affects all PAN-OS 7.1 Panorama versions, all 8.0 Panorama versions, PAN-OS 8.1 versions earlier than 8.1.12 on Panorama, and PAN-OS 9.0 versions earlier than 9.0.6 on Panorama [1].

Exploitation

An unauthenticated attacker with network access to the PAN-OS management web interface can exploit this vulnerability [1]. The CVSSv3.1 attack complexity is High, indicating a race window or timing condition may be required [1]. The attacker supplies a crafted XSLT transformation to write arbitrary files to the system, leveraging the lack of proper validation of path and data [1].

Impact

Successful exploitation allows the attacker to write attacker-supplied files on the system, leading to privilege escalation [1]. The CVSSv3.1 score of 8.1 indicates high impacts on confidentiality, integrity, and availability, meaning the attacker can potentially achieve full administrative control over the Panorama appliance [1].

Mitigation

This issue is fixed in PAN-OS 8.1.12, PAN-OS 9.0.6, and all later PAN-OS versions [1]. PAN-OS 7.1 is on extended support until June 30, 2020, and is only considered for critical security vulnerability fixes; PAN-OS 8.0 is end-of-life as of October 31, 2019, and is no longer covered by Product Security Assurance policies [1]. Administrators should follow best practices for securing the PAN-OS management web interface, as documented in Palo Alto Networks technical documentation, to mitigate the impact if upgrading is not immediately possible [1].