CVE-2017-15944
Published: 11 December 2017
Summary
CVE-2017-15944 is a critical-severity Improper Input Validation (CWE-20) vulnerability in Paloaltonetworks Pan-Os. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-7 (Boundary Protection) and SI-2 (Flaw Remediation).
Deeper analysis
Palo Alto Networks PAN-OS versions prior to 6.1.19, 7.0.19, 7.1.14, and 8.0.6 contain a remote code execution vulnerability that affects the management interface. The flaw is tracked under CVE-2017-15944 with a CVSS v3.1 base score of 9.8 and is associated with CWE-20 and CWE-119 input validation and buffer issues.
Unauthenticated attackers with network access to the management interface can send specially crafted requests to execute arbitrary code on the affected appliance, resulting in full compromise of confidentiality, integrity, and availability without any user interaction.
Vendor guidance and public references direct administrators to apply the listed PAN-OS updates that remediate the issue. Public exploit code for the vulnerability has been published on Exploit-DB, confirming that working proof-of-concept attacks are available.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2017-7360
Vulnerability details
Palo Alto Networks PAN-OS before 6.1.19, 7.0.x before 7.0.19, 7.1.x before 7.1.14, and 8.0.x before 8.0.6 allows remote attackers to execute arbitrary code via vectors involving the management interface.
- CWE(s)
- KEV Date Added
- 18 August 2022
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the vendor-supplied PAN-OS patches that eliminate the unauthenticated RCE flaw on the management interface.
Enforces boundary protection rules that can deny all external network access to the management interface, blocking the attack vector before any crafted packets arrive.
Access-enforcement mechanisms can restrict management-interface reachability to only authorized source addresses or authenticated sessions, limiting unauthenticated exploitation.