#VU13863 Information disclosure in Palo Alto PAN-OS - CVE-2018-9334

Cybersecurity Help s.r.o.

Published: 2018-07-13

Vulnerability identifier: #VU13863

Vulnerability risk: Low

CVSSv4.0: 4.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2018-9334

CWE-ID: CWE-200

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Palo Alto PAN-OS
Operating systems & Components / Operating system

Vendor: Palo Alto Networks, Inc.

Description

The vulnerability allows a remote authenticated administrator attacker to obtain potentially sensitive information on the target system.

The vulnerability exists due to unspecified flaw. A remote attacker can modify HTML markup on the management web interface to obtain GlobalProtect password hashes of local users.

Mitigation
The vulnerability is fixed in the versions 6.1.21, 7.1.17, 8.0.9, 8.1.1.

Vulnerable software versions

Palo Alto PAN-OS: 6.1.0 - 6.1.19, 7.1.0 - 7.1.14, 8.0.0 - 8.0.7

External links
https://securityadvisories.paloaltonetworks.com/Home/Detail/124

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated privileged user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Ubuntu update for edk2

Multiple vulnerabilities in Palo Alto PAN-OS