QID 730391

Date Published: 2022-03-14

QID 730391: Palo Alto Networks (PAN-OS) Use of a Weak Cryptographic Algorithm for Stored Password Hashes Vulnerability (PAN-127479)

PAN OS is the software that runs all Palo Alto Networks next-generation firewalls.

Usage of a weak cryptographic algorithm in Palo Alto Networks PAN-OS software where the password hashes of administrator and local user accounts are not created with a sufficient level of computational effort, which allows for password cracking attacks on accounts in normal (non-FIPS-CC) operational mode.

Affected Versions:
PAN-OS 10.0 versions earlier than PAN-OS 10.0.7
PAN-OS 9.1 versions earlier than PAN-OS 9.1.11
PAN-OS 9.0 all versions
PAN-OS 8.1 versions earlier than PAN-OS 8.1.21


QID Detection Logic (Authenticated):

This QID looks for the vulnerable version of PAN-OS

NOTE:This issue is applicable only to PAN-OS firewalls and Panorama appliances running in normal (non-FIPS-CC) operational mode. PAN-OS software is not affected by this issue when running in FIPS-CC mode.

Usage of a weak cryptographic algorithm in Palo Alto Networks PAN-OS software where the password hashes of administrator and local user accounts are not created with a sufficient level of computational effort, which allows for password cracking attacks on accounts in normal (non-FIPS-CC) operational mode.

  • CVSS V3 rated as Medium - 4.4 severity.
  • CVSS V2 rated as Medium - 4.6 severity.
    • Solution

    Refer to PAN-127479 for more information about patching this vulnerability.



    Workaround:
    Ensure that any exported firewall configuration files are secured and that only trusted users have firewall management access to prevent the exposure of password hashes. Using complex and secure passwords for all administrator and local user accounts makes password cracking infeasible and mitigates the impact of this issue. Switching PAN-OS software from normal mode to FIPS-CC mode ensures that appliances use secure cryptography to store hashed credentials for all local user accounts. However, when you enable FIPS-CC mode, the appliance will reset to the factory default settings and the existing configuration is removed. Documentation to enable FIPS-CC mode is available here: https://docs.paloaltonetworks.com/pan-os/10-2/pan-os-admin/certifications/enable-fips-and-common-criteria-support.html

    Vendor References

    CVEs related to QID 730391

    CVE-2022-0022 |
    Software Advisories
    Advisory ID Software Component Link
    PAN-127479 URL Logo security.paloaltonetworks.com/CVE-2022-0022
    By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].