PAN-SA-2025-0003: Informational: PAN-OS BIOS and Bootloader Security Bulletin
First published: Thu Jan 23 2025(Updated: )
Palo Alto Networks is aware of claims of multiple vulnerabilities in hardware device firmware and bootloaders included in our PA-Series (hardware) firewalls. It is not possible for malicious actors or PAN-OS administrators to exploit these vulnerabilities under normal conditions on PAN-OS versions with up-to-date, secured management interfaces deployed according to the best practices guidelines (https://docs.paloaltonetworks.com/best-practices/10-1/administrative-access-best-practices/administrative-access-best-practices/deploy-administrative-access-best-practices). Users and administrators do not have access to the BIOS firmware or permissions to modify it. An attacker would need to first compromise the system and then get the root Linux privileges necessary to perform these actions before they could exploit these vulnerabilities. These vulnerabilities themselves do not allow an attacker to compromise the PAN-OS software on the firewall. None of the concerns are applicable to PAN-OS CN-Series, PAN-OS VM-Series, Cloud NGFW and Prisma Access.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Palo Alto Networks Cloud NGFW | ||
| Palo Alto Networks PAN-OS CN-Series | ||
| Palo Alto Networks PAN-OS PA-Series | <As listed in the CVE table above= | |
| Palo Alto Networks PAN-OS VM-Series | ||
| Palo Alto Networks Prisma Access |
Remedy
These vulnerabilities require an attacker to compromise PAN-OS software before they can successfully exploit it. The risk of exploitation on PAN-OS software is reduced by upgrading your appliances to the latest versions. Additionally secure access to the management web interface by restricting access to only trusted internal IP addresses according to our recommended best practice deployment guidelines (https://docs.paloaltonetworks.com/best-practices).
Remedy
While the conditions required to exploit these vulnerabilities are not available to users protected by PAN-OS or administrators of PAN-OS software, we are working with the third-party vendors to develop any firmware updates that may be needed. We will provide further updates and guidance as they become available.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- collector/paloaltonetworks-latest
- source/Palo Alto Networks
- agent/title
- agent/references
- agent/last-modified-date
- agent/type
- agent/first-publish-date
- agent/source
- agent/event
- agent/severity
- agent/remedy
- agent/description
- agent/softwarecombine
- agent/tags
- collector/paloaltonetworks-api
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/palo alto networks
- canonical/palo alto networks cloud ngfw
- canonical/palo alto networks pan-os cn-series
- canonical/palo alto networks pan-os pa-series
- version/palo alto networks pan-os pa-series/
- canonical/palo alto networks pan-os vm-series
- canonical/palo alto networks prisma access