Palo Alto Networks PAN-OS Server-Side Request Forgery Vulnerability in IKEv2 Implementation

A server-side request forgery (SSRF) vulnerability has been identified in the IKEv2 implementation of Palo Alto Networks PAN-OS software. This vulnerability allows an unauthenticated attacker to manipulate the firewall into sending network requests to unintended destinations or to create a denial-of-service condition. The issue affects PAN-OS versions 10.2, 11.1, 11.2, and 12.1, with specific vulnerable sub-versions. Notably, this vulnerability does not impact Panorama, Cloud NGFW, or Prisma Access.

Impact

Exploitation of this vulnerability allows for server-side request forgery, where the firewall is tricked into making requests to internal or external resources on behalf of the attacker. This could potentially be used to access sensitive information or services that are not normally exposed to the public. Additionally, the vulnerability can lead to a denial-of-service condition, causing the firewall to become unresponsive or to fail in processing legitimate network traffic.

Remediation

Users can upgrade to the latest versions of PAN-OS to address this vulnerability. For those who do not require IKEv2 VPN, the issue can be mitigated by removing all IKEv2 VPN gateway configurations. Customers with a Threat Prevention subscription can block attacks targeting this vulnerability by enabling Threat ID 510014.