An issue exists whereby LDAP bind passwords are logged to authd.log in clear text when using the default logging level of ‘debug’. (Ref #35493)
This issue results in administrator passwords being logged and stored in clear text. Inappropriate access to this information can lead to unauthorized administration of the device.
This issue affects PAN-OS 4.1.2 and earlier; PAN-OS 4.0.8 and earlier; PAN-OS 3.1 is not affected.
Work around:
This issue affects the management interface of the device. Security appliance management best practices dictate that the management interface be isolated and strictly limited only to security administration personnel.