PAN-OS: Panorama registration denial of service

Vulnerability

An improper input validation vulnerability (CWE-20) exists in the configuration daemon of Palo Alto Networks PAN-OS Panorama. A remote unauthenticated user can send a specifically crafted registration request to the device, causing the configuration service to crash. This issue affects all versions of PAN-OS 7.1 and 8.0, PAN-OS 8.1 versions earlier than 8.1.14, PAN-OS 9.0 versions earlier than 9.0.7, and PAN-OS 9.1 versions earlier than 9.1.0. [1]

Exploitation

No authentication or user interaction is required; the attacker only needs network access to the Panorama management interface. By sending a single crafted registration request, the configuration daemon crashes. Repeatedly sending such requests forces the device to restart and enter maintenance mode, causing a persistent denial of service. [1]

Impact

Successful exploitation results in a high-availability impact (CVSS 7.5, AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). The attacker can disrupt all PAN-OS Panorama services, making the device unusable until manually recovered from maintenance mode. There is no impact on confidentiality or integrity. [1]

Mitigation

This issue is fixed in PAN-OS 8.1.14, PAN-OS 9.0.7, PAN-OS 9.1.0, and all later versions. PAN-OS 8.0 is end-of-life (since October 31, 2019) and no longer receives security fixes. PAN-OS 7.1 is on extended support until June 30, 2020, and is only eligible for critical fixes. As a workaround, follow best practices for securing the PAN-OS management interface, such as restricting access via IP allowlists and placing it on a dedicated management network. [1]