Palo Alto Networks PAN-OS OpenConfig Plugin Command Injection Vulnerability

A command injection vulnerability exists in the Palo Alto Networks PAN-OS OpenConfig plugin, allowing authenticated administrators to bypass system restrictions and execute arbitrary commands via gNMI requests to the PAN-OS management web interface. The executed commands are run as the '__openconfig' user, who holds the Device Administrator role on the firewall. This vulnerability affects OpenConfig plugin versions prior to 2.1.2, with the risk being highest when the management interface is accessible from external IP addresses on the internet.

Impact

Exploitation of this vulnerability allows for command injection, with executed commands running as a privileged user on the firewall.

Remediation

To address this vulnerability, update the OpenConfig plugin to version 2.1.2 or later. If the OpenConfig plugin is not in use, it can be disabled or uninstalled. For detailed instructions on managing the OpenConfig plugin, refer to the Palo Alto Networks official documentation.