Lucene search

Palo Alto Networks Product Security Incident Response TeamPA-CVE-2024-3387

HistoryApr 10, 2024 - 4:00 p.m.

PAN-OS: Weak Certificate Strength in Panorama Software Leads to Sensitive Information Disclosure

2024-04-1016:00:00

Palo Alto Networks Product Security Incident Response Team

securityadvisories.paloaltonetworks.com

pan-os

certificate strength

panorama software

sensitive information

disclosure

attack

encrypted traffic

management server

firewalls

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

AI Score

6.3

Confidence

High

JSON

A weak (low bit strength) device certificate in Palo Alto Networks Panorama software enables an attacker to perform a meddler-in-the-middle (MitM) attack to capture encrypted traffic between the Panorama management server and the firewalls it manages. With sufficient computing resources, the attacker could break encrypted communication and expose sensitive information that is shared between the management server and the firewalls.

Work around:
No work around available.

Affected configurations

Vulners

Node

softwarepan-osRange<10.1.12

softwarepan-osRange<10.2.7-h3

softwarepan-osRange<10.2.8

softwarepan-osRange<11.0.4

VendorProductVersionCPE
softwarepan-os*cpe:2.3:a:software:pan-os:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
software	pan-os	*	cpe:2.3:a:software:pan-os::::::::

References

security.paloaltonetworks.com/CVE-2024-3387

CVSS3

5.3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N

AI Score

6.3

Confidence

High

JSON

Related for PA-CVE-2024-3387