Palo Alto Networks (PAN) fixed critical and high severity vulnerabilities in its security platform.
Classified as critical, the fix brings together a combination of vulnerabilities in the management interface that can end up exploited by a remote and unauthenticated attacker to execute arbitrary code.
PAN-OS 6.1.18, 7.0.18, 7.1.13, 8.0.5 and earlier versions suffer from the vulnerabilities. Released fixes are in PAN-OS 6.1.19, 7.0.19, 7.1.14 and 8.0.6.
Attacks can also end up blocked using vulnerability signatures made available by the company.
The flaws ended up reported to Palo Alto Networks by Philip Pettersson.
PAN became aware of the issues in July and just released its fixes.
Pettersson released three vulnerabilities, including a partial authentication bypass, an arbitrary directory creation issue, and a command injection bug.
Combining these flaws allows an unauthenticated attacker to execute arbitrary code with root privileges through the web interface.
“Palo Alto Networks recommends not exposing the web management interface to the Internet,” Pettersson said in a post. “By looking at Project Sonar or Shodan it is evident that it’s actually quite common to deploy the firewalls with the web management interface listening on the WAN port.”
PAN-OS updates also address a high severity flaw in the web interface packet capture management component. The security hole, reported by researchers from Samsung allows an authenticated attacker to inject arbitrary commands.