PAN-OS: Improper Validation of Terminal Server Agent Certificate
An improper certificate validation vulnerability in PAN-OS allows users to connect Terminal Server Agents on Windows to PAN-OS using expired certificates even if the PAN-OS configuration would not normally permit them to do so.
VERSION MINOR VERSION SUGGESTED SOLUTION
Cloud NGFW No action needed.
PAN-OS 12.1 No action needed.
PAN-OS 11.2 11.2.0 through 11.2.7 Upgrade to 11.2.8 or later.
PAN-OS 11.1 11.1.0 through 11.1.10 Upgrade to 11.1.11 or later.
PAN-OS 10.2 10.2.0 through 10.2.16 Upgrade to 10.2.17 or later.
All older Upgrade to a supported fixed version.
unsupported
PAN-OS versions
Prisma Access 11.2 on PAN-OS 11.2.0 through 11.2.7 Upgrade to 11.2.7-h10 or later.
Prisma Access 10.2 on PAN-OS 10.2.0 through 10.2.10 Upgrade to 10.2.10-h28 or later.
Configurations
This issue only affects PAN-OS devices that connect to Terminal Server agents on Windows.
Follow these steps to check if PAN-OS devices connect to the Terminal Server agent (https://docs.paloaltonetworks.com/ngfw/administration/user-id/map-ip-addresses-to-users/configure-user-mapping-for-terminal-server-users/configure-the-palo-alto-networks-terminal-services-agent-for-user-mapping):
Device > User Identification > Terminal Server Agents
Workarounds
No known workarounds exist for this issue.
Exploits
Palo Alto Networks is not aware of any malicious exploitation of this issue.