CVE-2024-5920
📋 TL;DR
This XSS vulnerability in Palo Alto Networks PAN-OS allows an authenticated read-write Panorama administrator to push malicious configurations to PAN-OS nodes, enabling impersonation of legitimate administrators. Attackers can perform restricted actions on PAN-OS nodes after executing JavaScript in an administrator's browser. Only organizations using affected PAN-OS versions with Panorama administrators are impacted.
💻 Affected Systems
- Palo Alto Networks PAN-OS
📦 What is this software?
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
Pan Os by Paloaltonetworks
⚠️ Risk & Real-World Impact
Worst Case
An attacker with Panorama administrator access could impersonate legitimate PAN-OS administrators to modify firewall rules, create backdoors, exfiltrate sensitive network data, or disrupt network security controls.
Likely Case
Malicious or compromised Panorama administrators could escalate privileges to perform unauthorized actions on PAN-OS nodes, potentially bypassing security policies or gaining persistent access.
If Mitigated
With proper access controls and monitoring, impact is limited to authorized Panorama administrators who would already have significant privileges, reducing the attack surface.
🎯 Exploit Status
Requires authenticated Panorama administrator access; exploitation involves crafting malicious configurations and social engineering or waiting for legitimate administrator interaction.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: PAN-OS 10.2.11, PAN-OS 11.0.6, PAN-OS 11.1.3
Vendor Advisory: https://security.paloaltonetworks.com/CVE-2024-5920
Restart Required: Yes
Instructions:
1. Download the appropriate PAN-OS version from the Palo Alto Networks support portal. 2. Upload the software to your firewall/Panorama. 3. Install the software update. 4. Reboot the device to complete installation. 5. Verify the new version is active.
🔧 Temporary Workarounds
Restrict Panorama Administrator Access
allLimit read-write Panorama administrator accounts to only trusted personnel and implement strict access controls.
Implement Content Security Policy
allConfigure web application firewalls or browser security policies to restrict JavaScript execution in PAN-OS administrative interfaces.
🧯 If You Can't Patch
- Implement strict least-privilege access controls for Panorama administrators and monitor their activities closely.
- Use network segmentation to isolate Panorama management interfaces from general user networks and implement additional authentication layers.
🔍 How to Verify
Check if Vulnerable:
Check PAN-OS version via web interface (Device > Setup > Operations) or CLI with 'show system info' and compare against affected versions.Check Version:
show system info | match versionVerify Fix Applied:
After patching, verify the PAN-OS version is 10.2.11, 11.0.6, 11.1.3 or later using 'show system info' command or web interface.📡 Detection & Monitoring
Log Indicators:
- Unusual configuration pushes from Panorama administrators
- Multiple failed authentication attempts followed by successful Panorama login
- JavaScript execution errors in PAN-OS administrative logs
Network Indicators:
- Unusual traffic patterns from Panorama to PAN-OS nodes outside maintenance windows
- Suspicious HTTP requests containing script tags or encoded payloads to administrative interfaces
SIEM Query:
source="pan_logs" AND (event_type="config_push" AND user="*admin*") OR (http_uri="*script*" AND dest_ip="PAN-OS_management_IP")