A Vulnerability in Palo Alto Firewalls PAN-OS Could Allow for Arbitrary Code Execution

ITS Advisory Number: 
2017-070
Date(s) Issued: 
Monday, July 24, 2017
Subject: 
A Vulnerability in Palo Alto Firewalls PAN-OS Could Allow for Arbitrary Code Execution
Overview: 

A vulnerability has been discovered in Palo Alto Firewall PAN-OS, which could allow for arbitrary code execution. PAN-OS is an operating system for Palo Alto Network Appliances. An attacker can exploit this issue using specifically crafted fully qualified domain names (FQDN). Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the application. Depending on the privileges associated with this application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Threat Intelligence:

Proof-of-Concept code for this vulnerability is available. However, there are no reports of this vulnerability being exploited in the wild.

Systems Affected: 
  • PAN-OS 6.1.17 and prior
  • PAN-OS 7.0.15 and prior
  • PAN-OS 7.1.9 and prior
  • PAN-OS 8.0.2 and prior
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
Low
Description: 

A vulnerability has been discovered in Palo Alto Firewall PAN-OS, which could allow for arbitrary code execution. This vulnerability exists when the DNS Proxy feature resolves a specially crafted Fully Qualified Domain Names (FQDN). Specifically, the issue occurs in Data and Management planes of the firewall. An attacker could exploit this issue to execute arbitrary code in the context of the application. Successful exploitation of the most severe of these vulnerabilities could allow for arbitrary code execution in the context of the application. Depending on the privileges associated with this application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Please note that there is a Proof-of-Concept code available for this vulnerability. There are no reports of this vulnerability being exploited in the wild.

Actions: 
  • After appropriate testing, immediately apply patches provided by Palo Alto Networks to vulnerable systems.
  • Recommend disabling DNS Proxy, if possible, for those customers who are affected and are unable to apply the update
  • Verify no unauthorized system modifications have occurred on vulnerable systems before patching.