Palo Alto Networks PAN-OS 6.1.x < 6.1.17 / 7.0.x < 7.0.15 / 7.1.x < 7.1.10 / 8.0.x < 8.0.2 Multiple Vulnerabilities

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

The remote host is affected by multiple vulnerabilities.

Description :

The version of Palo Alto Networks PAN-OS running on the remote host is
6.1.x prior to 6.1.17, 7.0.x prior to 7.0.15, 7.1.x prior to 7.1.10,
or 8.0.x prior to 8.0.2. It is, therefore, affected by multiple
vulnerabilities :

- A flaw exists in the GNU wget component when handling
server redirects to FTP resources due to the destination
file name being obtained from the redirected URL and not
the original URL. An unauthenticated, remote attacker
can exploit this, via a specially crafted response, to
cause a different file name to be used than intended,
resulting in writing to arbitrary files. (CVE-2016-4971)

- A flaw exists in the Linux kernel due to improper
determination of the rate of challenge ACK segments. An
unauthenticated, remote attacker can exploit this to
gain access to the shared counter, which makes it easier
to hijack TCP sessions using a blind in-window attack.
This issue only affects version 7.1.x. (CVE-2016-5696)

- An out-of-bounds read error exists when handling packets
using the CHACHA20/POLY1305 or RC4-MD5 ciphers. An
unauthenticated, remote attacker can exploit this, via
specially crafted truncated packets, to cause a denial
of service condition. This issue does not affect version
6.1.x. (CVE-2017-3731)

- A cross-site scripting (XSS) vulnerability exists in
GlobalProtect due to improper validation of
user-supplied input to unspecified request parameters
before returning it to users. An unauthenticated, remote
attacker can exploit this, via a specially crafted
request, to execute arbitrary script code in a user's
browser session. This issue only affects version 7.0.x.
(CVE-2017-7409)

- A flaw exists in the web-based management interface due
to improper permission checks that allows an
authenticated, remote attacker to disclose sensitive
information. This issue only affects versions 6.1.x,
7.0.x, and 8.0.x. (CVE-2017-7644)

- An information disclosure vulnerability exists in the
GlobalProtect external interface due to returning
different error messages when handling login attempts
with valid or invalid usernames. An unauthenticated,
remote attacker can exploit this to enumerate valid
user accounts. This issue only affects versions 6.1.x,
7.0.x, and 8.0.x. (CVE-2017-7945)

- A denial of service vulnerability exists in the firewall
when handling stale responses to authentication requests
prior to selecting CHAP or PAP as the protocol. An
unauthenticated, remote attacker can exploit this to
cause the authentication process (authd) to stop
responding. This issue only affects versions 7.0.x and
7.1.x. (VulnDB 156216)

- An information disclosure vulnerability exists when
viewing changes in the configuration log due to the
'Auth Password' and 'Priv Password' for the SNMPv3
server profile not being properly masked. A local
attacker can exploit this to disclose password
information. This issue only affects versions 7.1.x and
8.0.x. (VulnDB 158179)

- A denial of service vulnerability exists due to a flaw
when handling HA3 messages. An unauthenticated, remote
attacker can exploit this to cause several processes to
stop. This issue only affects version 7.1.x.
(VulnDB 158180)

See also :

http://www.nessus.org/u?0d96265b
http://www.nessus.org/u?1f083775
http://www.nessus.org/u?aacbe40b
http://www.nessus.org/u?49c666f2
http://www.nessus.org/u?fe505ba3
http://www.nessus.org/u?9254ef1a

Solution :

Upgrade to Palo Alto Networks PAN-OS version 6.1.17 / 7.0.15 /
7.1.10 / 8.0.2 or later.

Risk factor :

Medium / CVSS Base Score : 5.8
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:P)
CVSS Temporal Score : 4.8
(CVSS2#E:F/RL:OF/RC:ND)
Public Exploit Available : true

Family: Palo Alto Local Security Checks

Nessus Plugin ID: 100419 ()

Bugtraq ID: 91530
91704
95813
98404
97953
98396

CVE ID: CVE-2016-4971
CVE-2016-5696
CVE-2017-3731
CVE-2017-7409
CVE-2017-7644
CVE-2017-7945

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now