Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2019-17440
PUBLISHED
More InfoOfficial Page
Assigner-palo_alto
Assigner Org ID-d6c1279f-00f6-4ef7-9217-f89ffe703ec0
View Known Exploited Vulnerability (KEV) details
Published At-20 Dec, 2019 | 15:22
Updated At-17 Sep, 2024 | 01:56
Rejected At-
▼CVE Numbering Authority (CNA)
PAN-OS on PA-7000 Series: Improper restriction of communication to Log Forwarding Card (LFC) allows root access

Improper restriction of communications to Log Forwarding Card (LFC) on PA-7000 Series devices with second-generation Switch Management Card (SMC) may allow an attacker with network access to the LFC to gain root access to PAN-OS. This issue affects PAN-OS 9.0 versions prior to 9.0.5-h3 on PA-7080 and PA-7050 devices with an LFC installed and configured. This issue does not affect PA-7000 Series deployments using the first-generation SMC and the Log Processing Card (LPC). This issue does not affect any other PA series devices. This issue does not affect devices without an LFC. This issue does not affect PAN-OS 8.1 or prior releases. This issue only affected a very limited number of customers and we undertook individual outreach to help them upgrade. At the time of publication, all identified customers have upgraded SW or content and are not impacted.

Affected Products
Vendor
Palo Alto Networks, Inc.Palo Alto Networks
Product
PAN-OS
Platforms
  • PA-7000 Series with 2nd Generation SMC
Versions
Affected
  • From 9.0 before 9.0.5-h3 (custom)
    • -> unaffectedfrom9.0.6, 9.0.5-h3
Vendor
Palo Alto Networks, Inc.Palo Alto Networks
Product
PAN-OS
Versions
Unaffected
  • 8.0
  • 8.1
Problem Types
TypeCWE IDDescription
CWECWE-923CWE-923 Improper Restriction of Communication Channel to Intended Endpoints
Metrics
VersionBase scoreBase severityVector
3.110.0CRITICAL
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

This issue is fixed in 9.0.5-h3 and all subsequent releases. Content update 8218-5815 also fixes the issue.

Configurations
Workarounds

(1) Content update 8218-5815 can be applied without requiring a software update. Once the content update is installed please ensure that next PAN-OS upgrade is to a fixed version (9.0.5-h3 or later). Do not upgrade or downgrade to an affected release, as it can reintroduce the vulnerability. (2) Configure security policies to prevent network sessions destined to LFC. (3) Ensure that LFC is only connected to a secured administrative network with access restricted to trusted users. (4) Disable or disconnect LFC from the network until fixes can be applied.

Exploits

Palo Alto Networks is not aware of any exploitation of this issue.

Credits
Palo Alto Networks would like to thank Ayad (Ed) Sleiman, Head of Information Security at King Abdullah University of Science and Technology (KAUST) and his team for discovering and responsibly reporting this issue.
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://security.paloaltonetworks.com/CVE-2019-17440
x_refsource_CONFIRM
▼Authorized Data Publishers (ADP)
CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://security.paloaltonetworks.com/CVE-2019-17440
x_refsource_CONFIRM
x_transferred
Details not found