Lucene search

Palo Alto Networks Product Security Incident Response TeamPA-CVE-2024-0008

HistoryFeb 14, 2024 - 5:00 p.m.

PAN-OS: Insufficient Session Expiration Vulnerability in the Web Interface

2024-02-1417:00:00

Palo Alto Networks Product Security Incident Response Team

securityadvisories.paloaltonetworks.com

pan-os

session expiration

web interface

vulnerability

unauthorized access

endpoint security

inactivity-based locks

CVSS3

6.6

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

Confidence

Low

EPSS

Percentile

9.0%

JSON

Web sessions in the management interface in Palo Alto Networks PAN-OS software do not expire in certain situations, making it susceptible to unauthorized access.

Work around:
Ensure that inactivity-based screen locks are enforced on endpoints with access to the PAN-OS web interface.

Affected configurations

Vulners

Node

softwarepan-osRange<9.0.17-h2

softwarepan-osRange<9.1.17

softwarepan-osRange<10.0.12-h1

softwarepan-osRange<10.0.13

softwarepan-osRange<10.1.10-h1

softwarepan-osRange<10.1.11

softwarepan-osRange<10.2.5

softwarepan-osRange<11.0.2

VendorProductVersionCPE
softwarepan-os*cpe:2.3:a:software:pan-os:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
software	pan-os	*	cpe:2.3:a:software:pan-os::::::::

References

security.paloaltonetworks.com/CVE-2024-0008

CVSS3

6.6

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

AI Score

Confidence

Low

EPSS

Percentile

9.0%

JSON

Related for PA-CVE-2024-0008