A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets.
The risk of this issue is greatly reduced if you secure access to the User-ID™ Authentication Portal per the best practice guidelines https://knowledgebase.paloaltonetworks.com/KCSArticleDetail by restricting access to only trusted internal IP addresses.
Prisma Access, Cloud NGFW and Panorama appliances are not impacted by this vulnerability.
CVSS Vector: CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N/E:A/AU:Y/R:U/V:C/RE:M/U:Red
CVSS Score: 8.7
You can greatly reduce the risk of exploitation by restricting User-ID™ Authentication Portal access to only trusted internal IP addresses and preventing its exposure to the internet.
| Exploitability Metrics |
Vulnerable System Impact Metrics |
Subsequent System Impact Metrics |
| Attack Vector |
Adjacent |
Confidentiality |
High |
Confidentiality |
Low |
| Attack Complexity |
Low |
Integrity |
High |
Integrity |
Low |
| Attack Requirements |
None |
Availability |
High |
Availability |
None |
| Privileges Required |
None |
| User Interaction |
None |
You can greatly reduce the risk of exploitation by restricting User-ID™ Authentication Portal access to only trusted internal IP addresses and preventing its exposure to the internet.
CVSS 4.0
Limited exploitation has been observed targeting Palo Alto Networks User-ID™ Authentication Portals that are exposed to untrusted IP addresses and/or the public internet. Customers following standard security best practices, such as restricting sensitive portals to trusted internal networks are at a greatly reduced risk.