Lucene search

Palo Alto Networks Product Security Incident Response TeamPA-CVE-2024-0008

HistoryFeb 14, 2024 - 5:00 p.m.

PAN-OS: Insufficient Session Expiration Vulnerability in the Web Interface

2024-02-1417:00:00

Palo Alto Networks Product Security Incident Response Team

securityadvisories.paloaltonetworks.com

pan-os

session expiration

web interface

vulnerability

unauthorized access

endpoint security

inactivity-based locks

6.6 Medium

CVSS3

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

7 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.0%

JSON

Web sessions in the management interface in Palo Alto Networks PAN-OS software do not expire in certain situations, making it susceptible to unauthorized access.

Work around:
Ensure that inactivity-based screen locks are enforced on endpoints with access to the PAN-OS web interface.

CPENameOperatorVersion
pan-oslt9.0.17-h2
pan-oslt9.1.17
pan-oslt10.0.12-h1
pan-oslt10.0.13
pan-oslt10.1.10-h1
pan-oslt10.1.11
pan-oslt10.2.5
pan-oslt11.0.2

Name	Operator	Version
pan-os	lt	9.0.17-h2
pan-os	lt	9.1.17
pan-os	lt	10.0.12-h1
pan-os	lt	10.0.13
pan-os	lt	10.1.10-h1
pan-os	lt	10.1.11
pan-os	lt	10.2.5
pan-os	lt	11.0.2

References

security.paloaltonetworks.com/CVE-2024-0008

6.6 Medium

CVSS3

Attack Vector

PHYSICAL

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:P/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

7 High

AI Score

Confidence

Low

0.0004 Low

EPSS

Percentile

9.0%

JSON

Related for PA-CVE-2024-0008