CVE-2023-6790
📋 TL;DR
This DOM-based XSS vulnerability in Palo Alto Networks PAN-OS allows attackers to execute malicious JavaScript in an administrator's browser by tricking them into clicking a specially crafted link. This affects PAN-OS web interface administrators who could have their sessions hijacked or credentials stolen. The vulnerability requires user interaction but can lead to full administrative compromise.
💻 Affected Systems
- Palo Alto Networks PAN-OS
📦 What is this software?
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
⚠️ Risk & Real-World Impact
Worst Case
Complete administrative takeover of the firewall, allowing attacker to modify rules, exfiltrate configuration data, create backdoors, or pivot to internal networks.
Likely Case
Session hijacking leading to unauthorized configuration changes, credential theft, or installation of persistent access mechanisms.
If Mitigated
Limited impact if administrators follow security best practices like not clicking untrusted links and using separate admin accounts with MFA.
🎯 Exploit Status
Exploitation requires social engineering to get administrator to click malicious link. No authentication bypass needed once link is clicked.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: PAN-OS 10.2.9, PAN-OS 11.0.4, PAN-OS 11.1.2
Vendor Advisory: https://security.paloaltonetworks.com/CVE-2023-6790
Restart Required: Yes
Instructions:
1. Download appropriate PAN-OS update from Palo Alto support portal. 2. Upload to firewall via web interface or CLI. 3. Install update via web interface or CLI. 4. Reboot firewall to complete installation.
🔧 Temporary Workarounds
Restrict Admin Access
allLimit PAN-OS web interface access to trusted IP addresses only using management interface restrictions.
Admin Security Training
allTrain administrators to never click untrusted links while authenticated to PAN-OS interface.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate PAN-OS management interface from untrusted networks
- Require multi-factor authentication for all PAN-OS administrator accounts
🔍 How to Verify
Check if Vulnerable:
Check PAN-OS version via web interface (Device > Setup > Operations) or CLI command: show system infoCheck Version:
show system info | match versionVerify Fix Applied:
Verify PAN-OS version is 10.2.9, 11.0.4, 11.1.2 or later via web interface or CLI command: show system info📡 Detection & Monitoring
Log Indicators:
- Unusual configuration changes by administrators
- Multiple failed login attempts followed by successful login from same IP
- Administrator sessions from unexpected IP addresses
Network Indicators:
- HTTP requests to PAN-OS interface containing suspicious JavaScript payloads in URL parameters
- Outbound connections from firewall to unexpected external IPs
SIEM Query:
source="pan-firewall" AND (event_type="CONFIG" AND user_change="true") OR (event_type="TRAFFIC" AND dest_ip IN [suspicious_ips])