CVE-2019-17440
PAN-OS on PA-7000 Series: Improper restriction of communication to Log Forwarding Card (LFC) allows root access
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Improper restriction of communications to Log Forwarding Card (LFC) on PA-7000 Series devices with second-generation Switch Management Card (SMC) may allow an attacker with network access to the LFC to gain root access to PAN-OS. This issue affects PAN-OS 9.0 versions prior to 9.0.5-h3 on PA-7080 and PA-7050 devices with an LFC installed and configured. This issue does not affect PA-7000 Series deployments using the first-generation SMC and the Log Processing Card (LPC). This issue does not affect any other PA series devices. This issue does not affect devices without an LFC. This issue does not affect PAN-OS 8.1 or prior releases. This issue only affected a very limited number of customers and we undertook individual outreach to help them upgrade. At the time of publication, all identified customers have upgraded SW or content and are not impacted.
La restricción incorrecta de las comunicaciones a la Tarjeta de reenvío de registros (LFC) en dispositivos de la serie PA-7000 con la Tarjeta de administración de conmutadores (SMC) de segunda generación puede permitir que un atacante con acceso de red al LFC obtenga acceso raíz al PAN-OS. Este problema afecta a las versiones de PAN-OS 9.0 anteriores a la versión 9.0.5-h3 en los dispositivos PA-7080 y PA-7050 con un LFC instalado y configurado. Este problema no afecta a las implementaciones de la serie PA-7000 utilizando la SMC de primera generación y la Tarjeta de procesamiento de registros (LPC). Este problema no afecta a ningún otro dispositivo de la serie PA. Este problema no afecta a los dispositivos sin un LFC. Este problema no afecta a PAN-OS 8.1 o versiones anteriores. Este problema solo afectó a un número muy limitado de clientes y realizamos actividades de divulgación individual para ayudarlos a actualizar. En el momento de la publicación, todos los clientes identificados han actualizado SW o contenido y no se ven afectados.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-10-10 CVE Reserved
- 2019-12-20 CVE Published
- 2023-03-07 EPSS Updated
- 2024-09-17 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-923: Improper Restriction of Communication Channel to Intended Endpoints
CAPEC
References (1)
| URL | Tag | Source |
|---|---|---|
| https://security.paloaltonetworks.com/CVE-2019-17440 | X_refsource_confirm |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Paloaltonetworks Search vendor "Paloaltonetworks" | Pan-os Search vendor "Paloaltonetworks" for product "Pan-os" | >= 9.0 <= 9.0.5 Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 9.0 <= 9.0.5" | - |
Affected
| in | Paloaltonetworks Search vendor "Paloaltonetworks" | Pa-7050 Search vendor "Paloaltonetworks" for product "Pa-7050" | - | - |
Safe
|
| Paloaltonetworks Search vendor "Paloaltonetworks" | Pan-os Search vendor "Paloaltonetworks" for product "Pan-os" | >= 9.0 <= 9.0.5 Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 9.0 <= 9.0.5" | - |
Affected
| in | Paloaltonetworks Search vendor "Paloaltonetworks" | Pa-7080 Search vendor "Paloaltonetworks" for product "Pa-7080" | - | - |
Safe
|