This issue has been addressed by Palo Alto Networks. The affected version have been updated. Palo Alto Networks recommends administrators update the affected version to the latest one as soon as possible. An updated version of PAN-OS software can be downloaded from PAN-OS downloads page. Affected versions: PAN-OS 8.1 versions earlier than PAN-OS 8.1.23

PAN-OS 9.0 versions earlier than PAN-OS 9.0.16

PAN-OS 9.1 versions earlier than PAN-OS 9.1.13

PAN-OS 10.0 versions earlier than PAN-OS 10.0.10

PAN-OS 10.1 versions earlier than PAN-OS 10.1.5

Overview

Palo Alto Networks is aware of a vulnerability in PAN-OS software versions 8.1 (8.1.23), 9.0 (9.0.16), 9.1 (9.1.13), 10 (10.0.10), 10.1 (10.1.5) that allows an attacker to remotely access the device's operating system and execute arbitrary code on it if provided with authorization credentials for a certain service account which is running on the device and has not been revoked or disabled by the administrator of the device before the vulnerability was discovered and reported to Palo Alto Networks through our bug bounty program or other means of reporting security vulnerabilities in PAN-OS software versions 8, 9, 10, and 10.1 earlier than these versions were released, or had been disclosed to us prior to Palo Alto Networks releasing them publicly, as long as the victim has not updated to a later version of PAN-OS software than these versions were released prior to being notified about this vulnerability by Palo Alto Networks or had already updated to a later version of PAN-OS software when first notified by Palo Alto Networks about this vulnerability, which could have reduced its severity and exposure potential before it was reported to us via our bug bounty program or other means of reporting security vulnerabilities in PAN-OS software versions 8, 9, 10, and 10

References ^

PAN-OS 8.1 versions earlier than PAN-OS 8.1.23
PAN-OS 10.0 versions earlier than PAN-OS 10.0.10
PAN-OS 9.0 versions earlier than PAN-OS 9.0.16
PAN-OS 9.1 versions earlier than PAN-OS 9.1.13
PAN-OS 10.1 versions earlier than PAN-OS 10.1.5

Potential Impact of CVE-2022-0024


The potentially affected versions of PAN-OS software mentioned above were released on October 12th, 2016. Palo Alto Networks has published a Security Advisory describing this potential impact to all administrators and users of these affected versions of PAN-OS software.

Timeline

Published on: 05/11/2022 17:15:00 UTC
Last modified on: 05/20/2022 13:25:00 UTC

References