CVE-2024-5917: PAN-OS: Server-Side Request Forgery in WildFire (Severity: LOW)
First published: Wed Nov 13 2024(Updated: )
A server-side request forgery in PAN-OS software enables an authenticated attacker to use the administrative web interface as a proxy, which enables the attacker to view internal network resources not otherwise accessible.
Credit: psirt@paloaltonetworks.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Palo Alto Networks Cloud NGFW | ||
| Palo Alto Networks PAN-OS | <10.2.2=10.2.0<10.1.7=10.1.0 | 10.2.2 10.1.7 |
| Palo Alto Networks PAN-OS | >=10.1.0<10.1.7 | |
| Palo Alto Networks PAN-OS | >=10.2.0<10.2.2 |
Remedy
This issue is fixed in PAN-OS 10.1.7, PAN-OS 10.2.2, and all later PAN-OS versions.
Remedy
Recommended mitigation—The vast majority of firewalls already follow Palo Alto Networks and industry best practices. However, if you haven’t already, we strongly recommend that you secure access to your management interface according to our best practice deployment guidelines. Specifically, you should restrict access to the management interface to only trusted internal IP addresses to prevent external access from the internet. Review information about how to secure management access to your Palo Alto Networks firewalls: * Palo Alto Networks LIVEcommunity article: https://live.paloaltonetworks.com/t5/community-blogs/tips-amp-tricks-how-to-secure-the-management-access-of-your-palo/ba-p/464431 * Palo Alto Networks official and more detailed technical documentation: https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices
Remedy
This issue is fixed in PAN-OS 10.1.7, PAN-OS 10.2.2, and all later PAN-OS versions.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2024-5917?
CVE-2024-5917 is classified as a critical vulnerability due to its potential impact on internal network security.
How do I fix CVE-2024-5917?
To fix CVE-2024-5917, upgrade the affected PAN-OS versions to at least 10.2.2 or 10.1.7.
What software is affected by CVE-2024-5917?
CVE-2024-5917 affects Palo Alto Networks Cloud NGFW and specific versions of PAN-OS including 10.2.0, 10.2.2, and 10.1.0 to 10.1.7.
What type of vulnerability is CVE-2024-5917?
CVE-2024-5917 is a server-side request forgery (SSRF) vulnerability.
Can CVE-2024-5917 be exploited remotely?
CVE-2024-5917 requires authentication, meaning an attacker must have access to the administrative web interface to exploit the vulnerability.
- agent/weakness
- agent/references
- agent/type
- agent/author
- agent/title
- agent/trending
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- agent/description
- agent/source
- collector/paloaltonetworks-latest
- source/Palo Alto Networks
- agent/last-modified-date
- agent/severity
- agent/tags
- agent/softwarecombine
- agent/event
- collector/paloaltonetworks-api
- agent/software-canonical-lookup
- agent/remedy
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup-request
- vendor/palo alto networks
- canonical/palo alto networks cloud ngfw
- canonical/palo alto networks pan-os
- version/palo alto networks pan-os/10.2.0
- version/palo alto networks pan-os/10.1.0
- vendor/paloaltonetworks