// For flags

CVE-2022-0022

PAN-OS: Use of a Weak Cryptographic Algorithm for Stored Password Hashes

Severity Score

4.4
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Usage of a weak cryptographic algorithm in Palo Alto Networks PAN-OS software where the password hashes of administrator and local user accounts are not created with a sufficient level of computational effort, which allows for password cracking attacks on accounts in normal (non-FIPS-CC) operational mode. An attacker must have access to the account password hashes to take advantage of this weakness and can acquire those hashes if they are able to gain access to the PAN-OS software configuration. Fixed versions of PAN-OS software use a secure cryptographic algorithm for account password hashes. This issue does not impact Prisma Access firewalls. This issue impacts: PAN-OS 8.1 versions earlier than PAN-OS 8.1.21; All versions of PAN-OS 9.0; PAN-OS 9.1 versions earlier than PAN-OS 9.1.11; PAN-OS 10.0 versions earlier than PAN-OS 10.0.7.

Uso de un algoritmo criptográfico débil en el software PAN-OS de Palo Alto Networks en el que los hashes de las contraseñas de las cuentas de administrador y de usuario local no se crean con un nivel de esfuerzo computacional suficiente, lo que permite realizar ataques de descifrado de contraseñas en las cuentas en modo operativo normal (no FIPS-CC). Un atacante debe tener acceso a los hashes de las contraseñas de las cuentas para aprovechar esta debilidad y puede adquirir esos hashes si consigue acceder a la configuración del software PAN-OS. Las versiones corregidas del software PAN-OS utilizan un algoritmo criptográfico seguro para los hashes de las contraseñas de las cuentas. Este problema no afecta a los cortafuegos Prisma Access. Este problema afecta a: Las versiones de PAN-OS 8.1 anteriores a PAN-OS 8.1.21; todas las versiones de PAN-OS 9.0; las versiones de PAN-OS 9.1 anteriores a PAN-OS 9.1.11; las versiones de PAN-OS 10.0 anteriores a PAN-OS 10.0.7

*Credits: Palo Alto Networks thanks an external security researcher for discovering and reporting this issue.
CVSS Scores
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Local
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Local
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2021-12-28 CVE Reserved
  • 2022-03-09 CVE Published
  • 2023-03-08 EPSS Updated
  • 2024-09-16 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-916: Use of Password Hash With Insufficient Computational Effort
CAPEC
References (1)
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Paloaltonetworks
Search vendor "Paloaltonetworks"
Pan-os
Search vendor "Paloaltonetworks" for product "Pan-os"
>= 8.1.0 < 8.1.21
Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 8.1.0 < 8.1.21"
-
Affected
Paloaltonetworks
Search vendor "Paloaltonetworks"
Pan-os
Search vendor "Paloaltonetworks" for product "Pan-os"
>= 9.0.0 <= 9.0.15
Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 9.0.0 <= 9.0.15"
-
Affected
Paloaltonetworks
Search vendor "Paloaltonetworks"
Pan-os
Search vendor "Paloaltonetworks" for product "Pan-os"
>= 9.1.0 < 9.1.11
Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 9.1.0 < 9.1.11"
-
Affected
Paloaltonetworks
Search vendor "Paloaltonetworks"
Pan-os
Search vendor "Paloaltonetworks" for product "Pan-os"
>= 10.0.0 < 10.0.7
Search vendor "Paloaltonetworks" for product "Pan-os" and version " >= 10.0.0 < 10.0.7"
-
Affected