PAN-OS: DOM-Based cross site scripting vulnerability in management web interface

Vulnerability

A DOM-Based Cross-Site Scripting (XSS) vulnerability exists in the PAN-OS and Panorama Management Web Interfaces [1]. The issue affects PAN-OS 7.1 versions earlier than 7.1.26, PAN-OS 8.1 versions earlier than 8.1.13, PAN-OS 9.0 versions earlier than 9.0.6, and all versions of PAN-OS 8.0 [1]. The vulnerability is classified as CWE-79 [1].

Exploitation

An attacker must craft a malicious link and convince an authenticated administrator to click on it [1]. The attack vector is network-based, requires no privileges, but does require user interaction [1]. The attacker does not need to be authenticated to the management interface itself [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript code in the administrator's browser [1]. This can lead to full compromise of the administrative session, allowing the attacker to perform administrative actions on the PAN-OS or Panorama device [1]. The CVSSv3.1 base score is 8.8, with HIGH impact on confidentiality, integrity, and availability [1].

Mitigation

Palo Alto Networks has released fixed versions: PAN-OS 7.1.26, PAN-OS 8.1.13, PAN-OS 9.0.6, and PAN-OS 9.1.0, and all later versions [1]. For PAN-OS 8.0, which is end-of-life as of October 31, 2019, no fix is available; following best practices for securing the management interface is strongly recommended [1]. Users should restrict access to the management interface to trusted internal IP addresses and follow the Best Practices for Securing Administrative Access [1].